Re: [PATCH nft v5] tests: py: fix python3
On Tue, May 28, 2019 at 5:21 AM Shekhar Sharma wrote:
>
> This patch converts the 'nft-test.py' file to run on both python 2 and
> python3.
>
> The version hystory of this patch is:
> v1:conversion to py3 by changing the print statements.
> v2:add the '__future__' package for compatibility with py2 and py3.
> v3:solves the 'version' problem in argparse by adding a new argument.
> v4:uses .format() method to make print statements clearer.
> v5: updated the shebang and corrected the sequence of import statements.
>
>
> Signed-off-by: Shekhar Sharma
> ---
> tests/py/nft-test.py | 44 +++-
> 1 file changed, 23 insertions(+), 21 deletions(-)
>
> diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
> index 1c0afd0e..fe56340c 100755
> --- a/tests/py/nft-test.py
> +++ b/tests/py/nft-test.py
> @@ -1,4 +1,4 @@
> -#!/usr/bin/python2
> +#!/usr/bin/python
> #
> # (C) 2014 by Ana Rey Botello
> #
> @@ -13,6 +13,7 @@
> # Thanks to the Outreach Program for Women (OPW) for sponsoring this test
> # infrastructure.
>
> +from __future__ import print_function
> import sys
> import os
> import argparse
> @@ -436,7 +437,7 @@ def set_delete(table, filename=None, lineno=None):
> '''
> Deletes set and its content.
> '''
> -for set_name in all_set.keys():
> +for set_name in list(all_set.keys()):
What exactly is this list() for? This is not a generator expression.
> # Check if exists the set
> if not set_exist(set_name, table, filename, lineno):
> reason = "The set %s does not exist, " \
> @@ -1002,9 +1003,9 @@ def execute_cmd(cmd, filename, lineno,
> stdout_log=False, debug=False):
> :param debug: temporarily set these debug flags
> '''
> global log_file
> -print >> log_file, "command: %s" % cmd
> +print("command: {}".format(cmd), file = log_file)
> if debug_option:
> -print cmd
> +print(cmd)
>
> if debug:
> debug_old = nftables.get_debug()
> @@ -1198,7 +1199,7 @@ def run_test_file(filename, force_all_family_option,
> specific_file):
> sys.stdout.flush()
>
> if signal_received == 1:
> -print "\nSignal received. Cleaning up and Exitting..."
> +print("\nSignal received. Cleaning up and Exitting...")
> cleanup_on_exit()
> sys.exit(0)
>
> @@ -1305,13 +1306,13 @@ def run_test_file(filename, force_all_family_option,
> specific_file):
>
> if specific_file:
> if force_all_family_option:
> -print print_result_all(filename, tests, total_warning,
> total_error,
> - total_unit_run)
> +print(print_result_all(filename, tests, total_warning,
> total_error,
> + total_unit_run))
> else:
> -print print_result(filename, tests, total_warning, total_error)
> +print(print_result(filename, tests, total_warning, total_error))
> else:
> if tests == passed and tests > 0:
> -print filename + ": " + Colors.GREEN + "OK" + Colors.ENDC
> +print(filename + ": " + Colors.GREEN + "OK" + Colors.ENDC)
>
> f.close()
> del table_list[:]
> @@ -1322,7 +1323,7 @@ def run_test_file(filename, force_all_family_option,
> specific_file):
>
>
> def main():
> -parser = argparse.ArgumentParser(description='Run nft tests',
> version='1.0')
> +parser = argparse.ArgumentParser(description='Run nft tests')
>
> parser.add_argument('filenames', nargs='*', metavar='path/to/file.t',
> help='Run only these tests')
> @@ -1341,6 +1342,10 @@ def main():
> dest='enable_json',
> help='test JSON functionality as well')
>
> +parser.add_argument('-v', '--version', action='version',
> +version= '1.0',
> +help='prints the version information')
Since this message is for the user, it should be "print" IMO.
> +
> args = parser.parse_args()
> global debug_option, need_fix_option, enable_json_option
> debug_option = args.debug
> @@ -1353,15 +1358,15 @@ def main():
> signal.signal(signal.SIGTERM, signal_handler)
>
> if os.getuid() != 0:
> -print "You need to be root to run this, sorry"
> +print("You need to be root to run this, sorry")
> return
>
> # Change working directory to repository root
> os.chdir(TESTS_PATH + "/../..")
>
> if not os.path.exists('src/.libs/libnftables.so'):
> -print "The nftables library does not exist. " \
> - "You need to build the project."
> +print("The nftables library does not exist. "
> + "You need to build the project.")
> return
>
> global nftables
> @@ -1411,18 +1416,15 @@ def main():
> run_total += file_unit_run
>
> if test_files == 0:
> -print "No test files to ru
Re: [PATCH nft v3]tests: py: fix python3.
On Wed, May 22, 2019 at 2:37 PM Shekhar Sharma wrote:
>
> This patch solves the problem with the 'version' in the constructor of
> argparse (line 1325). A new argument has been added for printing the version.
> Now the file will run in python2 as well as python3.
>
> Thanks eric for the hint! :-)
>
> Signed-off-by: Shekhar Sharma
> ---
> tests/py/nft-test.py | 125 ++-
> 1 file changed, 88 insertions(+), 37 deletions(-)
>
> diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
> index 1c0afd0e..bb643ccc 100755
> --- a/tests/py/nft-test.py
> +++ b/tests/py/nft-test.py
> @@ -13,6 +13,8 @@
> # Thanks to the Outreach Program for Women (OPW) for sponsoring this test
> # infrastructure.
>
> +from __future__ import print_function
> +#from nftables import Nftables
> import sys
> import os
> import argparse
> @@ -22,7 +24,6 @@ import json
> TESTS_PATH = os.path.dirname(os.path.abspath(__file__))
> sys.path.insert(0, os.path.join(TESTS_PATH, '../../py/'))
>
> -from nftables import Nftables
>
> TESTS_DIRECTORY = ["any", "arp", "bridge", "inet", "ip", "ip6"]
> LOGFILE = "/tmp/nftables-test.log"
> @@ -171,27 +172,31 @@ def print_differences_error(filename, lineno, cmd):
> print_error(reason, filename, lineno)
>
>
> -def table_exist(table, filename, lineno):
> +def table_exist(table, filename, lineno, netns):
> '''
> Exists a table.
> '''
> cmd = "list table %s" % table
> +if netns:
> +cmd = "ip netns exec ___nftables-container-test" + cmd
> ret = execute_cmd(cmd, filename, lineno)
>
> return True if (ret == 0) else False
>
>
> -def table_flush(table, filename, lineno):
> +def table_flush(table, filename, lineno, netns):
> '''
> Flush a table.
> '''
> cmd = "flush table %s" % table
> +if netns:
> +cmd = "ip netns exec ___nftables-container-test" + cmd
> execute_cmd(cmd, filename, lineno)
>
> return cmd
>
>
> -def table_create(table, filename, lineno):
> +def table_create(table, filename, lineno, netns):
> '''
> Adds a table.
> '''
> @@ -205,6 +210,8 @@ def table_create(table, filename, lineno):
>
> # We add a new table
> cmd = "add table %s" % table
> +if netns:
> +cmd = "ip netns exec ___nftables-container-test" + cmd
> ret = execute_cmd(cmd, filename, lineno)
>
> if ret != 0:
> @@ -233,7 +240,7 @@ def table_create(table, filename, lineno):
> return 0
>
>
> -def table_delete(table, filename=None, lineno=None):
> +def table_delete(table, filename=None, lineno=None, netns=0):
> '''
> Deletes a table.
> '''
> @@ -243,6 +250,8 @@ def table_delete(table, filename=None, lineno=None):
> return -1
>
> cmd = "delete table %s" % table
> +if netns:
> +cmd = "ip netns exec ___nftables-container-test" + cmd
> ret = execute_cmd(cmd, filename, lineno)
> if ret != 0:
> reason = "%s: I cannot delete table %s. Giving up!" % (cmd, table)
> @@ -258,17 +267,19 @@ def table_delete(table, filename=None, lineno=None):
> return 0
>
>
> -def chain_exist(chain, table, filename):
> +def chain_exist(chain, table, filename, netns):
> '''
> Checks a chain
> '''
> cmd = "list chain %s %s" % (table, chain)
> +if netns:
> +cmd = "ip netns exec ___nftables-container-test" + cmd
> ret = execute_cmd(cmd, filename, chain.lineno)
>
> return True if (ret == 0) else False
>
>
> -def chain_create(chain, table, filename):
> +def chain_create(chain, table, filename, netns):
> '''
> Adds a chain
> '''
> @@ -279,6 +290,8 @@ def chain_create(chain, table, filename):
> return -1
>
> cmd = "add chain %s %s" % (table, chain)
> +if netns:
> +cmd = "ip netns exec ___nftables-container-test" + cmd
> if chain.config:
> cmd += " { %s; }" % chain.config
>
> @@ -297,7 +310,7 @@ def chain_create(chain, table, filename):
> return 0
>
>
> -def chain_delete(chain, table, filename=None, lineno=None):
> +def chain_delete(chain, table, filename=None, lineno=None, netns=0):
> '''
> Flushes and deletes a chain.
> '''
> @@ -308,6 +321,8 @@ def chain_delete(chain, table, filename=None,
> lineno=None):
> return -1
>
> cmd = "flush chain %s %s" % (table, chain)
> +if netns:
> +cmd = "ip netns exec ___nftables-container-test" + cmd
> ret = execute_cmd(cmd, filename, lineno)
> if ret != 0:
> reason = "I cannot " + cmd
> @@ -315,6 +330,8 @@ def chain_delete(chain, table, filename=None,
> lineno=None):
> return -1
>
> cmd = "delete chain %s %s" % (table, chain)
> +if netns:
> +cmd = "ip netns exec ___nftables-container-test" + cmd
> ret = execute_cmd(cmd, filename, lineno)
> if ret != 0:
> reason = "I cannot " + cmd
> @@ -340,7 +357,7 @@ def chain_get_by_name(name):
> return chain
>
>
> -def set_add(s, test_result, filename,
[PATCH] src: consolidate XML/JSON exportation for rule
This completes the XML/JSON exportation using the new buffer class for
rule.
Signed-off-by: Shivani Bhardwaj
---
include/buffer.h | 5 +++
src/buffer.c | 11 +++
src/rule.c | 96
3 files changed, 43 insertions(+), 69 deletions(-)
diff --git a/include/buffer.h b/include/buffer.h
index c571657..a3a50d7 100644
--- a/include/buffer.h
+++ b/include/buffer.h
@@ -35,12 +35,15 @@ int nftnl_buf_u64(struct nftnl_buf *b, int type, uint64_t
value, const char *tag
int nftnl_buf_str(struct nftnl_buf *b, int type, const char *str, const char
*tag);
int nftnl_buf_reg(struct nftnl_buf *b, int type, union nftnl_data_reg *reg,
int reg_type, const char *tag);
+int nftnl_buf_expr(struct nftnl_buf *b, int type);
#define BASE "base"
#define BYTES "bytes"
#define BURST "burst"
#define CHAIN "chain"
#define CODE "code"
+#define COMPAT_FLAGS "compat_flags"
+#define COMPAT_PROTO "compat_proto"
#define CONSUMED "consumed"
#define DATA "data"
#define DEVICE "device"
@@ -64,10 +67,12 @@ int nftnl_buf_reg(struct nftnl_buf *b, int type, union
nftnl_data_reg *reg,
#define PACKETS"packets"
#define PKTS "pkts"
#define POLICY "policy"
+#define POSITION "position"
#define PREFIX "prefix"
#define PRIO "prio"
#define QTHRESH"qthreshold"
#define RATE "rate"
+#define RULE "rule"
#define SET"set"
#define SET_NAME "set_name"
#define SIZE "size"
diff --git a/src/buffer.c b/src/buffer.c
index d97d517..8dffef2 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -171,3 +171,14 @@ int nftnl_buf_reg(struct nftnl_buf *b, int type, union
nftnl_data_reg *reg,
}
return 0;
}
+
+int nftnl_buf_expr(struct nftnl_buf *b, int type)
+{
+ switch (type) {
+ case NFTNL_OUTPUT_XML:
+ return 0;
+ case NFTNL_OUTPUT_JSON:
+ return nftnl_buf_put(b, "\"expr\":[{");
+ }
+ return 0;
+}
diff --git a/src/rule.c b/src/rule.c
index 02d013b..5359972 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -20,6 +20,7 @@
#include
#include
#include
+#include
#include
#include
@@ -645,83 +646,40 @@ int nftnl_rule_parse_file(struct nftnl_rule *r, enum
nftnl_parse_type type,
}
EXPORT_SYMBOL(nftnl_rule_parse_file);
-static int nftnl_rule_snprintf_json(char *buf, size_t size,
- const struct nftnl_rule *r,
- uint32_t type, uint32_t flags)
+static int nftnl_rule_export(char *buf, size_t size,
+const struct nftnl_rule *r,
+uint32_t type, uint32_t flags)
{
- int ret, len = size, offset = 0;
struct nftnl_expr *expr;
- ret = snprintf(buf, len, "{\"rule\":{");
- SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
-
- if (r->flags & (1 << NFTNL_RULE_FAMILY)) {
- ret = snprintf(buf+offset, len, "\"family\":\"%s\",",
- nftnl_family2str(r->family));
- SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
- }
-
- if (r->flags & (1 << NFTNL_RULE_TABLE)) {
- ret = snprintf(buf+offset, len, "\"table\":\"%s\",",
- r->table);
- SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
- }
-
- if (r->flags & (1 << NFTNL_RULE_CHAIN)) {
- ret = snprintf(buf+offset, len, "\"chain\":\"%s\",",
- r->chain);
- SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
- }
- if (r->flags & (1 << NFTNL_RULE_HANDLE)) {
- ret = snprintf(buf+offset, len, "\"handle\":%llu,",
- (unsigned long long)r->handle);
- SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
- }
-
- if (r->flags & (1 << NFTNL_RULE_COMPAT_PROTO) ||
- r->flags & (1 << NFTNL_RULE_COMPAT_FLAGS)) {
- ret = snprintf(buf+offset, len, "\"compat_flags\":%u,"
- "\"compat_proto\":%u,",
- r->compat.flags, r->compat.proto)
Re: [PATCH] iptables: fix the wrong appending of jump verdict after the comment.
On Thu, Jan 26, 2017 at 2:49 PM, Shyam Saini wrote: > Fix wrong appending of jump verdict after the comment > > For example: > $ iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 > -d 192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar" > nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 > tcp sport 80 counter comment \"foobar\"jump LONGNACCEPT > > Note that even without comment with double-quotes (i.e. --comment > "foobar"), it will add quotes: > > $ iptables-translate -A FORWARD -p tcp -m tcp --sport http -s 192.168.0.0/16 > -d 192.168.0.0/16 -j DROP -m comment --comment singlecomment > nft add rule ip filter FORWARD ip saddr 192.168.0.0/16 ip daddr > 192.168.0.0/16 tcp sport 80 counter comment \"singlecomment\"drop > > Attempting to apply the translated/generated rule will result to: > > $ nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr > 192.168.0.0/16 tcp sport 80 counter comment \"foobar\"jump LONGNACCEPT > :1:111-114: Error: syntax error, unexpected jump, expecting endof > file or newline or semicolon > add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp > sport 80 counter comment "foobar"jump LONGNACCEPT > > After this patch > $ iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 -d > 192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar" > nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 > tcp sport 80 counter jump LONGNACCEPT comment \"foobar\" > which is correct translation > > Signed-off-by: Shyam Saini Reviewed-by: Shivani Bhardwaj It does get accepted by nft. Sorry about the last mail. You could probably send out similar patch for ip6 too. Shivani > --- > iptables/nft-ipv4.c | 5 ++--- > 1 file changed, 2 insertions(+), 3 deletions(-) > > diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c > index 52b1bed..e5947a7 100644 > --- a/iptables/nft-ipv4.c > +++ b/iptables/nft-ipv4.c > @@ -489,12 +489,11 @@ static int nft_ipv4_xlate(const void *data, struct > xt_xlate *xl) > > /* Always add counters per rule, as in iptables */ > xt_xlate_add(xl, "counter "); > + ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), xl); > > comment = xt_xlate_get_comment(xl); > if (comment) > - xt_xlate_add(xl, "comment %s", comment); > - > - ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), xl); > + xt_xlate_add(xl, " comment %s", comment); > > return ret; > } > -- > 2.7.4 > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] iptables: fix the wrong appending of jump verdict after the comment.
Hi! On Thu, Jan 26, 2017 at 2:49 PM, Shyam Saini wrote: > Fix wrong appending of jump verdict after the comment > > For example: > $ iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 > -d 192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar" > nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 > tcp sport 80 counter comment \"foobar\"jump LONGNACCEPT > > Note that even without comment with double-quotes (i.e. --comment > "foobar"), it will add quotes: > > $ iptables-translate -A FORWARD -p tcp -m tcp --sport http -s 192.168.0.0/16 > -d 192.168.0.0/16 -j DROP -m comment --comment singlecomment > nft add rule ip filter FORWARD ip saddr 192.168.0.0/16 ip daddr > 192.168.0.0/16 tcp sport 80 counter comment \"singlecomment\"drop > > Attempting to apply the translated/generated rule will result to: > > $ nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr > 192.168.0.0/16 tcp sport 80 counter comment \"foobar\"jump LONGNACCEPT > :1:111-114: Error: syntax error, unexpected jump, expecting endof > file or newline or semicolon > add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp > sport 80 counter comment "foobar"jump LONGNACCEPT > > After this patch > $ iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 -d > 192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar" > nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 > tcp sport 80 counter jump LONGNACCEPT comment \"foobar\" > which is correct translation > I get the following: sudo nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter jump LONGNACCEPT comment \"foobar\" :1:1-127: Error: Could not process rule: Operation not supported add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter jump LONGNACCEPT comment "foobar" ^^^ Shivani > Signed-off-by: Shyam Saini > --- > iptables/nft-ipv4.c | 5 ++--- > 1 file changed, 2 insertions(+), 3 deletions(-) > > diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c > index 52b1bed..e5947a7 100644 > --- a/iptables/nft-ipv4.c > +++ b/iptables/nft-ipv4.c > @@ -489,12 +489,11 @@ static int nft_ipv4_xlate(const void *data, struct > xt_xlate *xl) > > /* Always add counters per rule, as in iptables */ > xt_xlate_add(xl, "counter "); > + ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), xl); > > comment = xt_xlate_get_comment(xl); > if (comment) > - xt_xlate_add(xl, "comment %s", comment); > - > - ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), xl); > + xt_xlate_add(xl, " comment %s", comment); > > return ret; > } > -- > 2.7.4 > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] libxtables: xtables.c: Use getnameinfo()
On Mon, Dec 12, 2016 at 1:35 AM, Pablo Neira Ayuso wrote:
> On Sun, Dec 11, 2016 at 09:02:26PM +0100, Pablo Neira Ayuso wrote:
>> On Fri, Dec 09, 2016 at 05:20:00PM +0530, Shyam Saini wrote:
>> > Use getnameinfo() instead of deprecated gethostbyaddr()
>> >
>> > Signed-off-by: Shyam Saini
>> > ---
>> > libxtables/xtables.c | 25 -
>> > 1 file changed, 20 insertions(+), 5 deletions(-)
>> >
>> > diff --git a/libxtables/xtables.c b/libxtables/xtables.c
>> > index 921dfe9..338e325 100644
>> > --- a/libxtables/xtables.c
>> > +++ b/libxtables/xtables.c
>> > @@ -1210,13 +1210,28 @@ const char *xtables_ipaddr_to_numeric(const struct
>> > in_addr *addrp)
>> >
>> > static const char *ipaddr_to_host(const struct in_addr *addr)
>> > {
>> > - struct hostent *host;
>> > + static char hostname[NI_MAXHOST];
>> > + struct sockaddr_in saddr;
>> > + int err;
>> >
>> > - host = gethostbyaddr(addr, sizeof(struct in_addr), AF_INET);
>> > - if (host == NULL)
>> > - return NULL;
>> > + memset(&saddr, 0, sizeof(struct sockaddr_in));
>> > + memcpy(&saddr.sin_addr, addr, sizeof(*addr));
>>
>> You can skip this by perfoming C99 initialization, eg.
>>
>> struct sockaddr_in sin = { .sin_family = AF_INET, };
>> sin.sin_addr = *addr;
>
> One more comment below.
>
>> > + saddr.sin_family = AF_INET;
>> > +
>> > + err = getnameinfo((const void *)&saddr, sizeof(struct sockaddr_in),
>> > + hostname, sizeof(hostname) - 1, NULL, 0,
>> > 0);
>> > +
>> > +if (err != 0) {
>> > +#ifdef DEBUG
>> > +fprintf(stderr,"IP2Name: %s\n",gai_strerror(err));
>> > +#endif
>
> I don't remember to have used this debugging this ever, probably it is
> good to remove it.
>
Debugging code has been in this applied patch too:
http://git.netfilter.org/iptables/commit/?id=2d2b5e046aa56a518160716a9ddf9df53fc79c1f.
Maybe its good to remove it as well then?
>> > +return NULL;
>> > + }
>> >
>> > - return host->h_name;
>> > +#ifdef DEBUG
>> > + fprintf (stderr, "\naddr2host: %s\n", hostname);
>> > +#endif
>> > + return hostname;
> ^^^
>
> Minor nitpick: indentation is not correct here.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] extensions: libxt_mangle: Use getaddrinfo()
Replace gethostbyname() with getaddrinfo() as getaddrinfo()
deprecates the former and allows programs to eliminate
IPv4-versus-IPv6 dependencies.
Signed-off-by: Shivani Bhardwaj
---
extensions/libxt_mangle.c | 28 ++--
1 file changed, 18 insertions(+), 10 deletions(-)
diff --git a/extensions/libxt_mangle.c b/extensions/libxt_mangle.c
index 4b20feb..360742b 100644
--- a/extensions/libxt_mangle.c
+++ b/extensions/libxt_mangle.c
@@ -74,22 +74,30 @@ static void inaddrcpy(struct in_addr *dst, struct in_addr
*src)
static struct in_addr *host_to_addr(const char *name, unsigned int *naddr)
{
- struct hostent *host;
struct in_addr *addr;
+ struct addrinfo hints;
+ struct addrinfo *res, *p;
+ int err;
unsigned int i;
- *naddr = 0;
- if ((host = gethostbyname(name)) != NULL) {
- if (host->h_addrtype != AF_INET ||
- host->h_length != sizeof(struct in_addr))
- return (struct in_addr *) NULL;
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_flags= AI_CANONNAME;
+ hints.ai_family = AF_INET;
+ hints.ai_socktype = SOCK_RAW;
- while (host->h_addr_list[*naddr] != (char *) NULL)
+ *naddr = 0;
+ err = getaddrinfo(name, NULL, &hints, &res);
+ if (err != 0)
+ return NULL;
+ else {
+ for (p = res; p != NULL; p = p->ai_next)
(*naddr)++;
addr = xtables_calloc(*naddr, sizeof(struct in_addr));
- for (i = 0; i < *naddr; i++)
- inaddrcpy(&(addr[i]),
- (struct in_addr *) host->h_addr_list[i]);
+ for (i = 0, p = res; p != NULL; p = p->ai_next)
+ memcpy(&addr[i++],
+ &((const struct sockaddr_in
*)p->ai_addr)->sin_addr,
+ sizeof(struct in_addr));
+ freeaddrinfo(res);
return addr;
}
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] iptables: xtables-arp: Use getaddrinfo()
Replace gethostbyname() with getaddrinfo() as getaddrinfo()
deprecates the former and allows programs to eliminate
IPv4-versus-IPv6 dependencies.
Signed-off-by: Shivani Bhardwaj
---
iptables/xtables-arp.c | 28 ++--
1 file changed, 18 insertions(+), 10 deletions(-)
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index 346bece..bd6d57c 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -587,22 +587,30 @@ check_inverse(const char option[], int *invert, int
*optidx, int argc)
static struct in_addr *
host_to_addr(const char *name, unsigned int *naddr)
{
- struct hostent *host;
struct in_addr *addr;
+ struct addrinfo hints;
+ struct addrinfo *res, *p;
+ int err;
unsigned int i;
- *naddr = 0;
- if ((host = gethostbyname(name)) != NULL) {
- if (host->h_addrtype != AF_INET ||
- host->h_length != sizeof(struct in_addr))
- return (struct in_addr *) NULL;
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_flags= AI_CANONNAME;
+ hints.ai_family = AF_INET;
+ hints.ai_socktype = SOCK_RAW;
- while (host->h_addr_list[*naddr] != (char *) NULL)
+ *naddr = 0;
+ err = getaddrinfo(name, NULL, &hints, &res);
+ if (err != 0)
+ return NULL;
+ else {
+ for (p = res; p != NULL; p = p->ai_next)
(*naddr)++;
addr = xtables_calloc(*naddr, sizeof(struct in_addr));
- for (i = 0; i < *naddr; i++)
- inaddrcpy(&(addr[i]),
- (struct in_addr *) host->h_addr_list[i]);
+ for (i = 0, p = res; p != NULL; p = p->ai_next)
+ memcpy(&addr[i++],
+ &((const struct sockaddr_in
*)p->ai_addr)->sin_addr,
+ sizeof(struct in_addr));
+ freeaddrinfo(res);
return addr;
}
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v4] doc: Complete documentation of statements
Add documentation corresponding to LOG STATEMENT, REJECT STATEMENT, COUNTER STATEMENT, META STATEMENT, LIMIT STATEMENT, NAT STATEMENT, QUEUE STATEMENT. Signed-off-by: Shivani Bhardwaj --- Changes in v4: Fix the syntax as per parser_bison Changes in v3: Correct meta fields, use lowercase statement names, merge nflog with log. Changes in v2: Add more content to the description. doc/nft.xml | 239 +++- 1 file changed, 237 insertions(+), 2 deletions(-) diff --git a/doc/nft.xml b/doc/nft.xml index ea47e2b..d2f106b 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -2191,36 +2191,271 @@ filter input iif eth0 drop Log statement + + log + + prefix + level + group + snaplen + queue-threshold + + - + + The log statement enables logging of matching packets. When this statement is used from a rule, the Linux kernel will print some information on all matching packets, such as header fields, via the kernel log (where it can be read with dmesg(1) or read in the syslog). This is a non-terminating statement, so the rule evaluation continues after the packet is logged. It is necessary to mention the group [default 0] to consider logging with nflog. + + log statement + + + + + + + Keyword + Description + Type + + + + + level + Level of logging + unsigned integer (32 bit), emerg, alert, crit, err, warn [default], notice, info, debug + + + prefix + Prefix log messages + string + + + group +Netlink group to send messages to + unsigned integer (32 bit) + + + snaplen +Length of payload to include in netlink message + unsigned integer (32 bit) + + + queue-threshold +Queue threshold value + unsigned integer (32 bit) + + + + + + Reject statement + A reject statement is used to send back an error packet in response to the matched packet otherwise it is equivalent to drop so it is a terminating statement, ending rule
[PATCH iptables] configure: Fix assignment statement
The assignment statement was interpreted as executing enable_connlabel command with the argument "no". This was due to the whitespaces in the assignment. Fixes the trivial bug introduced in commit 3b7a227 (configure: Show support for connlabel) Reported-by: Florian Westphal Signed-off-by: Shivani Bhardwaj --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index c91e9e7..b47516b 100644 --- a/configure.ac +++ b/configure.ac @@ -175,7 +175,7 @@ if test "x$enable_connlabel" = "xyes"; then if test "$nfconntrack" -ne 1; then blacklist_modules="$blacklist_modules connlabel"; echo "WARNING: libnetfilter_conntrack not found, connlabel match will not be built"; - enable_connlabel = "no"; + enable_connlabel="no"; fi; else blacklist_modules="$blacklist_modules connlabel"; -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH iptables] configure: Fix logic to show connlabel support
On Wed, Jun 22, 2016 at 10:00 PM, Florian Westphal wrote: > Shivani Bhardwaj wrote: >> With the earlier logic, when libnfnetlink and libnetfilter_conntrack >> were not installed, all the warnings showed up correctly but the final >> configuration showed: >> >> connlabel support: yes >> >> which was faulty. >> This was happening because connlabel module was blacklisted first and >> then set to "no" if package requirements were not met. > > its because ... > >> diff --git a/configure.ac b/configure.ac >> index c91e9e7..131bc8b 100644 >> --- a/configure.ac >> +++ b/configure.ac >> @@ -173,9 +173,9 @@ if test "x$enable_connlabel" = "xyes"; then >> [nfconntrack=1], [nfconntrack=0]) >> >> if test "$nfconntrack" -ne 1; then >> + enable_connlabel="no"; >> blacklist_modules="$blacklist_modules connlabel"; >> echo "WARNING: libnetfilter_conntrack not found, connlabel >> match will not be built"; >> - enable_connlabel = "no"; > > ... of the space around the '=', shell tried to execute > 'enable_connlabel' command here. Thanks. I'm sorry for misinterpreting and writing the wrong message. I shall resend the patch. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH iptables] configure: Fix logic to show connlabel support
With the earlier logic, when libnfnetlink and libnetfilter_conntrack were not installed, all the warnings showed up correctly but the final configuration showed: connlabel support: yes which was faulty. This was happening because connlabel module was blacklisted first and then set to "no" if package requirements were not met. After this patch, iptables configuration shows up correctly. Fixes commit 3b7a227 (configure: Show support for connlabel) Tested before and after installing the dependencies. Signed-off-by: Shivani Bhardwaj --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index c91e9e7..131bc8b 100644 --- a/configure.ac +++ b/configure.ac @@ -173,9 +173,9 @@ if test "x$enable_connlabel" = "xyes"; then [nfconntrack=1], [nfconntrack=0]) if test "$nfconntrack" -ne 1; then + enable_connlabel="no"; blacklist_modules="$blacklist_modules connlabel"; echo "WARNING: libnetfilter_conntrack not found, connlabel match will not be built"; - enable_connlabel = "no"; fi; else blacklist_modules="$blacklist_modules connlabel"; -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH iptables] configure: Remove flex check warning
Remove the warning about outdated version of flex as it is not needed
anymore.
Signed-off-by: Shivani Bhardwaj
---
configure.ac | 15 ---
1 file changed, 15 deletions(-)
diff --git a/configure.ac b/configure.ac
index b170add..c91e9e7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -157,21 +157,6 @@ if test "x$enable_nftables" = "xyes"; then
echo "Please install the 'flex' package."
exit 1
fi
-
- AC_MSG_CHECKING(flex version)
- flex_version=`$ac_cv_prog_LEX --version | sed 's/version//g' | awk
'/flex/ {print $2}'`
- flex_major=`echo $flex_version| cut -d . -f 1`
- flex_minor=`echo $flex_version| cut -d . -f 2`
- flex_rev=`echo $flex_version| cut -d . -f 3`
-
- if test "$flex_major" -eq "2" && test "$flex_minor" -eq "5" && test
"$flex_rev" -ge "33"; then
- AC_MSG_RESULT([$flex_version. OK])
- else
- AC_MSG_WARN([flex version $flex_version found.
- Version 2.5.33 or greater is required. You may experience
problems
- while compilating the nftables compatibility layer for iptables.
- Please, consider to upgrade flex.])
- fi
fi
AM_CONDITIONAL([HAVE_LIBMNL], [test "$mnl" = 1])
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH conntrack-tools] configure: Remove flex check warning
Remove the warning about outdated version of flex as it is not needed
anymore.
Signed-off-by: Shivani Bhardwaj
---
configure.ac | 15 ---
1 file changed, 15 deletions(-)
diff --git a/configure.ac b/configure.ac
index c541034..b6c5439 100644
--- a/configure.ac
+++ b/configure.ac
@@ -40,21 +40,6 @@ then
exit 1
fi
-AC_MSG_CHECKING(flex version)
-flex_version=`$ac_cv_prog_LEX --version | sed 's/version//g' | awk '/flex/
{print $2}'`
-flex_major=`echo $flex_version| cut -d . -f 1`
-flex_minor=`echo $flex_version| cut -d . -f 2`
-flex_rev=`echo $flex_version| cut -d . -f 3`
-
-if test "$flex_major" -eq "2" && test "$flex_minor" -eq "5" && test
"$flex_rev" -ge "33"; then
- AC_MSG_RESULT([$flex_version. OK])
-else
- AC_MSG_WARN([flex version $flex_version found.
- Version 2.5.33 or greater is required. You may experience problems
- while compilating the conntrack-tools. Please, consider to upgrade
- flex.])
-fi
-
AC_ARG_ENABLE([cthelper],
AS_HELP_STRING([--disable-cthelper], [Do not build userspace helper
support]),
[enable_cthelper="$enableval"], [enable_cthelper="yes"])
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH conntrack-tools] configure: Fix flex version check
On Sat, Jun 18, 2016 at 6:12 PM, Pablo Neira Ayuso wrote:
> Hi Shivani,
>
> Thanks for following up on this, see comment below.
>
> On Sat, Jun 18, 2016 at 12:47:43AM +0530, Shivani Bhardwaj wrote:
>> Following the fixes for version check in iptables and nftables, make
>> conntrack-tools avoid generating false warning for Flex version greater
>> than 2.5.x.
>>
>> Signed-off-by: Shivani Bhardwaj
>> ---
>> configure.ac | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/configure.ac b/configure.ac
>> index c541034..3bc5155 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -46,7 +46,7 @@ flex_major=`echo $flex_version| cut -d . -f 1`
>> flex_minor=`echo $flex_version| cut -d . -f 2`
>> flex_rev=`echo $flex_version| cut -d . -f 3`
>>
>> -if test "$flex_major" -eq "2" && test "$flex_minor" -eq "5" && test
>> "$flex_rev" -ge "33"; then
>> +if (test "$flex_major" -eq "2" && test "$flex_minor" -eq "5" && test
>> "$flex_rev" -ge "33") || (test "$flex_major" -eq "2" && test "$flex_minor"
>> -gt "5") || test "$flex_major" -gt "2"; then
>> AC_MSG_RESULT([$flex_version. OK])
>> else
>> AC_MSG_WARN([flex version $flex_version found.
>
> I'm starting to think that it's better to get rid of this version
> check. This was introduced in 2008:
>
> ed50c34 ("add flex version warning (better with >= 2.5.33)")
>
> I can see RPM packages for 2.5.53 since 2008.
>
> The development of conntrack-tools a bit before that time, so I think
> it's better to nuke these checks, better since we have less code to
> maintain :)
>
Hi Pablo,
Just to avoid any confusion, should I be following up with patches for
iptables and conntrack-tools to completely remove this check? It is
already not there in nft. Please let me know.
Thank you.
> Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH conntrack-tools] configure: Fix flex version check
Following the fixes for version check in iptables and nftables, make conntrack-tools avoid generating false warning for Flex version greater than 2.5.x. Signed-off-by: Shivani Bhardwaj --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index c541034..3bc5155 100644 --- a/configure.ac +++ b/configure.ac @@ -46,7 +46,7 @@ flex_major=`echo $flex_version| cut -d . -f 1` flex_minor=`echo $flex_version| cut -d . -f 2` flex_rev=`echo $flex_version| cut -d . -f 3` -if test "$flex_major" -eq "2" && test "$flex_minor" -eq "5" && test "$flex_rev" -ge "33"; then +if (test "$flex_major" -eq "2" && test "$flex_minor" -eq "5" && test "$flex_rev" -ge "33") || (test "$flex_major" -eq "2" && test "$flex_minor" -gt "5") || test "$flex_major" -gt "2"; then AC_MSG_RESULT([$flex_version. OK]) else AC_MSG_WARN([flex version $flex_version found. -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft] configure: Show flex version check
Before this patch, no check on the version of flex was done because of
which configure script did not show any warning messages for
inappropriate version of flex. Following iptables, show the version of
flex in the output of configure script, also show warning if necessary.
Signed-off-by: Shivani Bhardwaj
---
configure.ac | 15 +++
1 file changed, 15 insertions(+)
diff --git a/configure.ac b/configure.ac
index 0e7edcf..b3b6c0b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -50,6 +50,21 @@ then
exit 1
fi
+AC_MSG_CHECKING(flex version)
+flex_version=`$ac_cv_prog_LEX --version | sed 's/version//g' | awk
'/flex/ {print $2}'`
+flex_major=`echo $flex_version| cut -d . -f 1`
+flex_minor=`echo $flex_version| cut -d . -f 2`
+flex_rev=`echo $flex_version| cut -d . -f 3`
+
+if (test "$flex_major" -eq "2" && test "$flex_minor" -eq "5" && test
"$flex_rev" -ge "33") || (test "$flex_major" -eq "2" && test "$flex_minor" -gt
"5") || test "$flex_major" -gt "2"; then
+AC_MSG_RESULT([$flex_version. OK])
+else
+AC_MSG_WARN([flex version $flex_version found.
+Version 2.5.33 or greater is required. You may experience
problems
+while compilating the nftables compatibility layer for
iptables.
+Please, consider to upgrade flex.])
+fi
+
AC_CHECK_PROG(DOCBOOK2X_MAN, [docbook2x-man], [docbook2x-man], [no])
AC_CHECK_PROG(DOCBOOK2MAN, [docbook2man], [docbook2man], [no])
AC_CHECK_PROG(DB2X_DOCBOOK2MAN, [db2x_docbook2man], [db2x_docbook2man], [no])
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH iptables] configure: Fix logic for flex version check
According to the previous logic of version check for flex, anything greater than 2.5.33 but within 2.5.x was acceptable. The issue was observed when a false warning generated for flex version 2.6.0. New logic works for basically everything greater than 2.5.33. Signed-off-by: Shivani Bhardwaj --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index b170add..0040f0b 100644 --- a/configure.ac +++ b/configure.ac @@ -164,7 +164,7 @@ if test "x$enable_nftables" = "xyes"; then flex_minor=`echo $flex_version| cut -d . -f 2` flex_rev=`echo $flex_version| cut -d . -f 3` - if test "$flex_major" -eq "2" && test "$flex_minor" -eq "5" && test "$flex_rev" -ge "33"; then + if (test "$flex_major" -eq "2" && test "$flex_minor" -eq "5" && test "$flex_rev" -ge "33") || (test "$flex_major" -eq "2" && test "$flex_minor" -gt "5") || test "$flex_major" -gt "2"; then AC_MSG_RESULT([$flex_version. OK]) else AC_MSG_WARN([flex version $flex_version found. -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] configure: Fix logic for flex version check
According to the previous logic of version check for flex, anything greater than 2.5.33 but within 2.5.x was acceptable. The issue was observed when a false warning generated for flex version 2.6.0. New logic works for basically everything greater than 2.5.33. Signed-off-by: Shivani Bhardwaj --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index b170add..0040f0b 100644 --- a/configure.ac +++ b/configure.ac @@ -164,7 +164,7 @@ if test "x$enable_nftables" = "xyes"; then flex_minor=`echo $flex_version| cut -d . -f 2` flex_rev=`echo $flex_version| cut -d . -f 3` - if test "$flex_major" -eq "2" && test "$flex_minor" -eq "5" && test "$flex_rev" -ge "33"; then + if (test "$flex_major" -eq "2" && test "$flex_minor" -eq "5" && test "$flex_rev" -ge "33") || (test "$flex_major" -eq "2" && test "$flex_minor" -gt "5") || test "$flex_major" -gt "2"; then AC_MSG_RESULT([$flex_version. OK]) else AC_MSG_WARN([flex version $flex_version found. -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] libipt_NETMAP: Avoid listing 32 bit mask and fix tests
(1) If subnet mask is unspecified with an IPv4 address, the rule
lists as
iptables -I PREROUTING -t nat -j NETMAP --to to:1.2.3.4/32
Remove this and make the rule list as
iptables -I PREROUTING -t nat -j NETMAP --to to:1.2.3.4
(2) Fix the tests for NETMAP for IPv4.
Before this patch,
ERROR: line 3 (cannot find: iptables -I PREROUTING -t nat -j NETMAP --to
1.2.3.0/24)
ERROR: line 4 (cannot find: iptables -I PREROUTING -t nat -j NETMAP --to
1.2.3.4)
After this patch, no errors with tests were observed.
Signed-off-by: Shivani Bhardwaj
---
extensions/libipt_NETMAP.c | 2 +-
extensions/libipt_NETMAP.t | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/extensions/libipt_NETMAP.c b/extensions/libipt_NETMAP.c
index 4932c96..7c5d657 100644
--- a/extensions/libipt_NETMAP.c
+++ b/extensions/libipt_NETMAP.c
@@ -76,7 +76,7 @@ static void NETMAP_print(const void *ip, const struct
xt_entry_target *target,
bits = netmask2bits(a.s_addr);
if (bits < 0)
printf("/%s", xtables_ipaddr_to_numeric(&a));
- else
+ else if (bits < 32)
printf("/%d", bits);
}
diff --git a/extensions/libipt_NETMAP.t b/extensions/libipt_NETMAP.t
index 31924b9..de2bf8f 100644
--- a/extensions/libipt_NETMAP.t
+++ b/extensions/libipt_NETMAP.t
@@ -1,4 +1,4 @@
:PREROUTING,INPUT,OUTPUT,POSTROUTING
*nat
--j NETMAP --to 1.2.3.0/24;=;OK
--j NETMAP --to 1.2.3.4;=;OK
+-j NETMAP --to 1.2.3.0/24;-j NETMAP --to to:1.2.3.0/24;OK
+-j NETMAP --to 1.2.3.4;-j NETMAP --to to:1.2.3.4;OK
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nf-next] netfilter: nf_log: Remove NULL check
If 'logger' was NULL, there would be a direct jump to the label 'out', since it has already been checked for NULL, remove this unnecessary check. Signed-off-by: Shivani Bhardwaj --- net/netfilter/nf_log.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c index a5d41df..93236ab 100644 --- a/net/netfilter/nf_log.c +++ b/net/netfilter/nf_log.c @@ -167,7 +167,7 @@ int nf_logger_find_get(int pf, enum nf_log_type type) if (logger == NULL) goto out; - if (logger && try_module_get(logger->me)) + if (try_module_get(logger->me)) ret = 0; out: rcu_read_unlock(); -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] extensions: libxt_devgroup: Fix order of mask and id
The order of mask and id in the translated code is not apt
so fix it.
This patch follows commit 8548dd by Liping Zhang.
Signed-off-by: Shivani Bhardwaj
---
extensions/libxt_devgroup.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c
index a30fff0..f110ea7 100644
--- a/extensions/libxt_devgroup.c
+++ b/extensions/libxt_devgroup.c
@@ -158,8 +158,8 @@ print_devgroup_xlate(unsigned int id, uint32_t op,
unsigned int mask,
const char *name = NULL;
if (mask != 0x)
- xt_xlate_add(xl, "and 0x%x %s 0x%x ", id,
- op == XT_OP_EQ ? "==" : "!=", mask);
+ xt_xlate_add(xl, "and 0x%x %s 0x%x ", mask,
+ op == XT_OP_EQ ? "==" : "!=", id);
else {
if (numeric == 0)
name = xtables_lmap_id2name(devgroups, id);
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] extensions: libxt_connmark: Fix order of mask and mark
The order of mask and mark in the output is wrong. This has been pointed
out:
http://git.netfilter.org/iptables/commit/?id=8548dd253833027c68ac6400c3118ef788fabe5d
by Liping Zhang .
This patch fixes the same issue with connmark.
Signed-off-by: Shivani Bhardwaj
---
extensions/libxt_connmark.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/extensions/libxt_connmark.c b/extensions/libxt_connmark.c
index fbfeb74..958a50c 100644
--- a/extensions/libxt_connmark.c
+++ b/extensions/libxt_connmark.c
@@ -127,8 +127,8 @@ static void print_mark_xlate(unsigned int mark, unsigned
int mask,
struct xt_xlate *xl, uint32_t op)
{
if (mask != 0xU)
- xt_xlate_add(xl, " and 0x%x %s 0x%x ", mark,
- op == XT_OP_EQ ? "==" : "!=", mask);
+ xt_xlate_add(xl, " and 0x%x %s 0x%x ", mask,
+ op == XT_OP_EQ ? "==" : "!=", mark);
else
xt_xlate_add(xl, " %s0x%x ",
op == XT_OP_EQ ? "" : "!= ", mark);
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v3] doc: Complete the documentation of statements
Add documentation corresponding to LOG STATEMENT, REJECT STATEMENT, COUNTER STATEMENT, META STATEMENT, LIMIT STATEMENT, NAT STATEMENT, QUEUE STATEMENT. Signed-off-by: Shivani Bhardwaj --- Changes in v3: Correct meta fields, use lowercase statement names, merge nflog with log. Changes in v2: Add more content to the description. doc/nft.xml | 227 +++- 1 file changed, 225 insertions(+), 2 deletions(-) diff --git a/doc/nft.xml b/doc/nft.xml index e4d227c..e3cd2d3 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -2186,36 +2186,259 @@ filter input iif eth0 drop Log statement + + log + + prefix + level + + - + + The log statement enables logging of matching packets. When this statement is used from a rule, the Linux kernel will print some information on all matching packets, such as header fields, via the kernel log (where it can be read with dmesg(1) or read in the syslog). This is a non-terminating statement, so the rule evaluation continues after the packet is logged. It is necessary to mention the group [default 0] to consider logging with nflog. + + log statement + + + + + + + Keyword + Description + Type + + + + + level + Level of logging + unsigned integer (32 bit), emerg, alert, crit, err, warn [default], notice, info, debug + + + prefix + Prefix log messages + string + + + group +Netlink group to send messages to + unsigned integer (32 bit) + + + snaplen +Length of payload to include in netlink message + unsigned integer (32 bit) + + + queue-threshold +Queue threshold value + unsigned integer (32 bit) + + + + + + Reject statement + A reject statement is used to send back an error packet in response to the matched packet otherwise it is equivalent to drop so it is a terminating statement, ending rule traversal. This statement is only valid in the input, forward and output chains, and user-defined chains which are only called from those chains. + + reject statement (ipv4
Re: [PATCH v2] doc: Complete the documentation of statements
On Thu, May 12, 2016 at 4:35 PM, Pablo Neira Ayuso wrote:
> On Thu, May 12, 2016 at 04:21:06PM +0530, Shivani Bhardwaj wrote:
>> On Thu, May 12, 2016 at 3:14 PM, Pablo Neira Ayuso
>> wrote:
>> > On Thu, May 12, 2016 at 01:38:45PM +0530, Shivani Bhardwaj wrote:
>> >> +
>> >> +
The nflog statement provides
>> >> logging of matching packets. When this statement is set for a rule, the
>> >> Linux kernel will pass the packet to the loaded logging backend to log
>> >> the packet. This is used in combination with nfnetlink_log as logging
>> >> backend, which will multicast the packet through a netlink socket to the
>> >> specified multicast group. One or more userspace processes may subscribe
>> >> to the group to receive the packets. Like log statement, this is a
>> >> non-terminating statement, i.e. rule traversal continues at the next
>> >> rule. It is necessary to mention the group [default 0] to consider
>> >> logging with nflog.
>> >
>> > We don't have a nflog statement, actually this is integrated into
>> > 'log' itself. So if you indique the group, then it is assumed that you
>> > want to use logging through nflog.
>> >
>> Yes, I'm sorry for the mistake.
>
> No problem.
>
> [...]
>> >> Meta statement
>> >>
>> >> + A meta statement sets the value of a meta
>> >> expression.
>> >> + The existing meta fields are: length,
>> >> nfproto, l4proto, protocol, priority, mark, iif, iifname, iiftype,
>> >> oif, oifname, oiftype, skuid, skgid, nftrace, rtclassid, ibriport,
>> >> obriport, pkttype, cpu, iifgroup, oifgroup, cgroup.
>> >
>> > We actually support a bunch of this, have a look at:
>> > net/netfilter/nft_meta.c so you know which ones we support ;)
>> >
>> Should I be adding the ones like prandom, secmark too? nft_meta.c
>> shows it but nftables doesn't seem to have an entry in the parser.
>> Please let me know.
>
> void nft_meta_set_eval(const struct nft_expr *expr,
>struct nft_regs *regs,
>const struct nft_pktinfo *pkt)
> {
> const struct nft_meta *meta = nft_expr_priv(expr);
> struct sk_buff *skb = pkt->skb;
> u32 value = regs->data[meta->sreg];
>
> switch (meta->key) {
> case NFT_META_MARK:
> [...]
> break;
> case NFT_META_PRIORITY:
> [...]
> break;
> case NFT_META_PKTTYPE:
> [...]
> break;
> case NFT_META_NFTRACE:
> [...]
> default:
> WARN_ON(1);
> }
> }
>
> We support mark, priority, pkttype and nftrace for meta statements at
> this stage.
>
> Note that you indicated what we support for meta expressions (what we
> used to call 'matches' in iptables) that is the long list of things
> you placed above.
OK. I confused expressions with statements again. I'm sorry. Fixing
this and sending the patch. Thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2] doc: Complete the documentation of statements
On Thu, May 12, 2016 at 3:14 PM, Pablo Neira Ayuso wrote: > On Thu, May 12, 2016 at 01:38:45PM +0530, Shivani Bhardwaj wrote: >> Add documentation corresponding to LOG STATEMENT, NFLOG STATEMENT, >> REJECT STATEMENT, COUNTER STATEMENT, META STATEMENT, LIMIT STATEMENT, >> NAT STATEMENT and QUEUE STATEMENT. >> >> Signed-off-by: Shivani Bhardwaj >> --- >> Changes in v2: >> Add more content to the description. >> >> doc/nft.xml | 259 >> +++- >> 1 file changed, 258 insertions(+), 1 deletion(-) >> >> diff --git a/doc/nft.xml b/doc/nft.xml >> index e4d227c..be3a713 100644 >> --- a/doc/nft.xml >> +++ b/doc/nft.xml >> @@ -2185,37 +2185,294 @@ filter input iif eth0 drop >> >> >> Log statement >> + >> +log >> + >> +prefix >> +level >> + >> + >> + >> >> + The log statement enables > ^^ > This has accidentally slipped through, right? > Hi Pablo, I was using that for newline but I switched now to , it looks OK now. >> logging of matching packets. When this statement is used from a >> rule, the Linux kernel will print some information on all matching >> packets, such as header fields, via the kernel log (where it can be >> read with dmesg(1) or read in the syslog). This is a non-terminating >> statement, so the rule evaluation continues after the packet is >> logged. >> + >> + LOG statement >> + > colsep='1' rowsep='1'> >> + >> + >> + >> + >> + >> + >> Keyword >> + >> Description >> + >> Type >> + >> + >> + >> + >> + >> level >> + Level >> of logging >> + >> unsigned integer (32 bit), emerg, alert, crit, err, warn [default], >> notice, info, debug >> + >> + >> + >> prefix >> + Prefix >> log messages >> + >> string >> + >> + >> + >> + >> >> >> >> + nflog statement >> + >> +log >> +group >> + >> +prefix >> +queue-threshold >> +snaplen >> + >> + >> + >> + >> + The nflog statement provides logging >> of matching packets. When this statement is set for a rule, the Linux kernel >> will pass the packet to the loaded logging backend to log the packet. This >> is used in combination with nfnetlink_log as logging backe
[PATCH v2] doc: Complete the documentation of statements
Add documentation corresponding to LOG STATEMENT, NFLOG STATEMENT, REJECT STATEMENT, COUNTER STATEMENT, META STATEMENT, LIMIT STATEMENT, NAT STATEMENT and QUEUE STATEMENT. Signed-off-by: Shivani Bhardwaj --- Changes in v2: Add more content to the description. doc/nft.xml | 259 +++- 1 file changed, 258 insertions(+), 1 deletion(-) diff --git a/doc/nft.xml b/doc/nft.xml index e4d227c..be3a713 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -2185,37 +2185,294 @@ filter input iif eth0 drop Log statement + +log + +prefix +level + + + + The log statement enables logging of matching packets. When this statement is used from a rule, the Linux kernel will print some information on all matching packets, such as header fields, via the kernel log (where it can be read with dmesg(1) or read in the syslog). This is a non-terminating statement, so the rule evaluation continues after the packet is logged. + + LOG statement + + + + + + + Keyword + Description + Type + + + + + level + Level of logging + unsigned integer (32 bit), emerg, alert, crit, err, warn [default], notice, info, debug + + + prefix + Prefix log messages + string + + + + + nflog statement + +log +group + +prefix +queue-threshold +snaplen + + + + + The nflog statement provides logging of matching packets. When this statement is set for a rule, the Linux kernel will pass the packet to the loaded logging backend to log the packet. This is used in combination with nfnetlink_log as logging backend, which will multicast the packet through a netlink socket to the specified multicast group. One or more userspace processes may subscribe to the group to receive the packets. Like log statement, this is a non-terminating statement, i.e. rule traversal continues at the next rule. It is necessary to mention the group [default 0] to consider logging with nflog. + +NFLOG statement + + + + + + + Keyword + Description + Type
[PATCH] extensions: libxt_NFQUEUE: Add missing tests
Add missing tests for NFQUEUE. Signed-off-by: Shivani Bhardwaj --- extensions/libxt_NFQUEUE.t | 4 1 file changed, 4 insertions(+) diff --git a/extensions/libxt_NFQUEUE.t b/extensions/libxt_NFQUEUE.t index d4e4274..b51b19f 100644 --- a/extensions/libxt_NFQUEUE.t +++ b/extensions/libxt_NFQUEUE.t @@ -10,3 +10,7 @@ -j NFQUEUE --queue-balance 0:65536;;FAIL -j NFQUEUE --queue-balance -1:65535;;FAIL -j NFQUEUE --queue-num 10 --queue-bypass;=;OK +-j NFQUEUE --queue-balance 0:6 --queue-cpu-fanout --queue-bypass;-j NFQUEUE --queue-balance 0:6 --queue-bypass --queue-cpu-fanout;OK +-j NFQUEUE --queue-bypass --queue-balance 0:6 --queue-cpu-fanout;-j NFQUEUE --queue-balance 0:6 --queue-bypass --queue-cpu-fanout;OK +-j NFQUEUE --queue-balance 0:6 --queue-bypass;=;OK +-j NFQUEUE --queue-bypass;-j NFQUEUE --queue-num 0 --queue-bypass;OK -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/2] NFQUEUE: Fix bug with order of fanout and bypass
On Fri, Apr 15, 2016 at 4:14 PM, Pablo Neira Ayuso wrote: > On Thu, Apr 14, 2016 at 08:55:58PM +0530, Shivani Bhardwaj wrote: >> NFQUEUE had a bug with the ordering of fanout and bypass options which >> was arising due to same and odd values for flags and bypass when used >> together. Because of this, during bitwise ANDing of flags and >> NFQ_FLAG_CPU_FANOUT, the value always evaluated to false (since >> NFQ_FLAG_CPU_FANOUT=0x02) and led to skipping of fanout option >> whenever it was used before bypass because then flags would be 1. >> >> Before this patch, >> >> $ sudo iptables -A FORWARD -j NFQUEUE -p TCP --sport 80 --queue-balance 0:3 >> --queue-cpu-fanout --queue-bypass >> >> Chain FORWARD (policy ACCEPT) >> target prot opt source destination >> NFQUEUEtcp -- anywhere anywhere tcp spt:http >> NFQUEUE balance 0:3 bypass >> >> After this patch, >> >> Chain FORWARD (policy ACCEPT) >> target prot opt source destination >> NFQUEUEtcp -- anywhere anywhere tcp spt:http >> NFQUEUE balance 0:3 bypass cpu-fanout >> >> Closes bugzilla entry: http://bugzilla.netfilter.org/show_bug.cgi?id=939 > > Shivani, thanks for following up on this. > > Would you also update extensions/libxt_NFQUEUE.t to add a test so we > make sure this regression doesn't happen ever again? > I just did that! :) Testing and sending out the patch. Thanks. > Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH libnftnl] tests: nat-test: Use different values to test
Tests are more effective if different values are set so, use different
values for every expression.
Signed-off-by: Shivani Bhardwaj
---
tests/nft-expr_nat-test.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/tests/nft-expr_nat-test.c b/tests/nft-expr_nat-test.c
index 50b115c..fd3a488 100644
--- a/tests/nft-expr_nat-test.c
+++ b/tests/nft-expr_nat-test.c
@@ -72,12 +72,12 @@ int main(int argc, char *argv[])
print_err("OOM");
nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_TYPE, 0x1234568);
- nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_FAMILY, 0x1234568);
- nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_REG_ADDR_MIN, 0x1234568);
- nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_REG_ADDR_MAX, 0x1234568);
- nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_REG_PROTO_MIN, 0x1234568);
- nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_REG_PROTO_MAX, 0x1234568);
- nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_FLAGS, 0x1234568);
+ nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_FAMILY, 0x3456721);
+ nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_REG_ADDR_MIN, 0x1452638);
+ nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_REG_ADDR_MAX, 0x5134682);
+ nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_REG_PROTO_MIN, 0x6124385);
+ nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_REG_PROTO_MAX, 0x2153846);
+ nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_FLAGS, 0x4213683);
nftnl_rule_add_expr(a, ex);
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 1/2] NFQUEUE: Fix bug with order of fanout and bypass
NFQUEUE had a bug with the ordering of fanout and bypass options which
was arising due to same and odd values for flags and bypass when used
together. Because of this, during bitwise ANDing of flags and
NFQ_FLAG_CPU_FANOUT, the value always evaluated to false (since
NFQ_FLAG_CPU_FANOUT=0x02) and led to skipping of fanout option
whenever it was used before bypass because then flags would be 1.
Before this patch,
$ sudo iptables -A FORWARD -j NFQUEUE -p TCP --sport 80 --queue-balance 0:3
--queue-cpu-fanout --queue-bypass
Chain FORWARD (policy ACCEPT)
target prot opt source destination
NFQUEUEtcp -- anywhere anywhere tcp spt:http
NFQUEUE balance 0:3 bypass
After this patch,
Chain FORWARD (policy ACCEPT)
target prot opt source destination
NFQUEUEtcp -- anywhere anywhere tcp spt:http
NFQUEUE balance 0:3 bypass cpu-fanout
Closes bugzilla entry: http://bugzilla.netfilter.org/show_bug.cgi?id=939
Suggested-by: Pablo Neira Ayuso
Signed-off-by: Shivani Bhardwaj
---
extensions/libxt_NFQUEUE.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQUEUE.c
index 8115457..0b5becc 100644
--- a/extensions/libxt_NFQUEUE.c
+++ b/extensions/libxt_NFQUEUE.c
@@ -99,7 +99,7 @@ static void NFQUEUE_parse_v2(struct xt_option_call *cb)
NFQUEUE_parse_v1(cb);
switch (cb->entry->id) {
case O_QUEUE_BYPASS:
- info->bypass = 1;
+ info->bypass |= NFQ_FLAG_BYPASS;
break;
}
}
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2/2] extensions: libxt_NFQUEUE: Unstack different versions
Remove the stacking of older version into the newer one by adding the
appropriate code corresponding to each version.
Suggested-by: Florian Westphal
Signed-off-by: Shivani Bhardwaj
---
extensions/libxt_NFQUEUE.c | 104 +++--
1 file changed, 92 insertions(+), 12 deletions(-)
diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQUEUE.c
index 0b5becc..e8b81b6 100644
--- a/extensions/libxt_NFQUEUE.c
+++ b/extensions/libxt_NFQUEUE.c
@@ -30,23 +30,32 @@ static void NFQUEUE_help(void)
static void NFQUEUE_help_v1(void)
{
- NFQUEUE_help();
printf(
+"NFQUEUE target options\n"
+" --queue-num valueSend packet to QUEUE number .\n"
+" Valid queue numbers are 0-65535\n"
" --queue-balance first:last Balance flows between queues to
.\n");
}
static void NFQUEUE_help_v2(void)
{
- NFQUEUE_help_v1();
printf(
+"NFQUEUE target options\n"
+" --queue-num valueSend packet to QUEUE number .\n"
+" Valid queue numbers are 0-65535\n"
+" --queue-balance first:last Balance flows between queues to
.\n"
" --queue-bypass Bypass Queueing if no queue instance exists.\n"
" --queue-cpu-fanout Use current CPU (no hashing)\n");
}
static void NFQUEUE_help_v3(void)
{
- NFQUEUE_help_v2();
printf(
+"NFQUEUE target options\n"
+" --queue-num valueSend packet to QUEUE number .\n"
+" Valid queue numbers are 0-65535\n"
+" --queue-balance first:last Balance flows between queues to
.\n"
+" --queue-bypass Bypass Queueing if no queue instance exists.\n"
" --queue-cpu-fanout Use current CPU (no hashing)\n");
}
@@ -95,9 +104,21 @@ static void NFQUEUE_parse_v1(struct xt_option_call *cb)
static void NFQUEUE_parse_v2(struct xt_option_call *cb)
{
struct xt_NFQ_info_v2 *info = cb->data;
+ const uint16_t *r = cb->val.u16_range;
- NFQUEUE_parse_v1(cb);
+ xtables_option_parse(cb);
switch (cb->entry->id) {
+ case O_QUEUE_BALANCE:
+ if (cb->nvals != 2)
+ xtables_error(PARAMETER_PROBLEM,
+ "Bad range \"%s\"", cb->arg);
+ if (r[0] >= r[1])
+ xtables_error(PARAMETER_PROBLEM,
+ "%u should be less than %u",
+ r[0], r[1]);
+ info->queuenum = r[0];
+ info->queues_total = r[1] - r[0] + 1;
+ break;
case O_QUEUE_BYPASS:
info->bypass |= NFQ_FLAG_BYPASS;
break;
@@ -107,9 +128,24 @@ static void NFQUEUE_parse_v2(struct xt_option_call *cb)
static void NFQUEUE_parse_v3(struct xt_option_call *cb)
{
struct xt_NFQ_info_v3 *info = cb->data;
+ const uint16_t *r = cb->val.u16_range;
- NFQUEUE_parse_v2(cb);
+ xtables_option_parse(cb);
switch (cb->entry->id) {
+ case O_QUEUE_BALANCE:
+ if (cb->nvals != 2)
+ xtables_error(PARAMETER_PROBLEM,
+ "Bad range \"%s\"", cb->arg);
+ if (r[0] >= r[1])
+ xtables_error(PARAMETER_PROBLEM,
+ "%u should be less than %u",
+ r[0], r[1]);
+ info->queuenum = r[0];
+ info->queues_total = r[1] - r[0] + 1;
+ break;
+ case O_QUEUE_BYPASS:
+ info->flags |= NFQ_FLAG_BYPASS;
+ break;
case O_QUEUE_CPU_FANOUT:
info->flags |= NFQ_FLAG_CPU_FANOUT;
break;
@@ -142,8 +178,14 @@ static void NFQUEUE_print_v2(const void *ip,
const struct xt_entry_target *target, int numeric)
{
const struct xt_NFQ_info_v2 *info = (void *) target->data;
+ unsigned int last = info->queues_total;
+
+ if (last > 1) {
+ last += info->queuenum - 1;
+ printf(" NFQUEUE balance %u:%u", info->queuenum, last);
+ } else
+ printf(" NFQUEUE num %u", info->queuenum);
- NFQUEUE_print_v1(ip, target, numeric);
if (info->bypass & NFQ_FLAG_BYPASS)
printf(" bypass");
}
@@ -152,8 +194,17 @@ static void NFQUEUE_print_v3(const void *ip,
const struct xt_entry_target *target, int numeric)
{
const struct xt_NFQ_info_v3 *info = (void *)target->data;
+ unsigned int last = info->queues_total;
+
+ i
Re: [PATCH] NFQUEUE: Fix bug with order of fanout and bypass
On Tue, Apr 12, 2016 at 10:58 PM, Florian Westphal wrote:
> Shivani Bhardwaj wrote:
>> NFQUEUE had a bug with the ordering of fanout and bypass options which
>> was arising due to same and odd values for flags and bypass when used
>> together. Because of this, during bitwise ANDing of flags and
>> NFQ_FLAG_CPU_FANOUT, the value always evaluated to false (since
>> NFQ_FLAG_CPU_FANOUT=0x02) and led to skipping of fanout option
>> whenever it was used before bypass because then flags would be 1.
>>
>> Before this patch,
>>
>> $ sudo iptables -A FORWARD -j NFQUEUE -p TCP --sport 80 --queue-balance 0:3
>> --queue-cpu-fanout --queue-bypass
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>> NFQUEUEtcp -- anywhere anywhere tcp spt:http
>> NFQUEUE balance 0:3 bypass
>>
>> After this patch,
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>> NFQUEUEtcp -- anywhere anywhere tcp spt:http
>> NFQUEUE balance 0:3 bypass cpu-fanout
>
>> Closes bugzilla entry: http://bugzilla.netfilter.org/show_bug.cgi?id=939
>
> Ugh, good catch!
>
>> diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQUEUE.c
>> index 8115457..0b5becc 100644
>> --- a/extensions/libxt_NFQUEUE.c
>> +++ b/extensions/libxt_NFQUEUE.c
>> @@ -99,7 +99,7 @@ static void NFQUEUE_parse_v2(struct xt_option_call *cb)
>> NFQUEUE_parse_v1(cb);
>> switch (cb->entry->id) {
>> case O_QUEUE_BYPASS:
>> - info->bypass = 1;
>> + info->bypass |= NFQ_FLAG_BYPASS;
>> break;
>
> I don't like this mix of v2 and v3 layout.
>
> Could you try to create an alternate patch that changes
> NFQUEUE_parse_v3 to call NFQUEUE_parse_v1 and then add
> case O_QUEUE_BYPASS:
> info->bypass |= NFQ_FLAG_BYPASS;
>
> to NFQUEUE_parse_v3?
>
> I think that this would make it a bit clearer and
> it also avoids the v3/v2/v1 stacking.
>
Sure.
Just to make sure I get this right, should I be using two objects of
structures xt_NFQ_info_v3 and xt_NFQ_info_v2 (since v3 does not have
bypass) and make switch cases accordingly in v3?
Should I be doing this for all the functions (save, xlate, print)
since the same stacking is there too?
Thanks!
> Thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] NFQUEUE: Fix bug with order of fanout and bypass
NFQUEUE had a bug with the ordering of fanout and bypass options which
was arising due to same and odd values for flags and bypass when used
together. Because of this, during bitwise ANDing of flags and
NFQ_FLAG_CPU_FANOUT, the value always evaluated to false (since
NFQ_FLAG_CPU_FANOUT=0x02) and led to skipping of fanout option
whenever it was used before bypass because then flags would be 1.
Before this patch,
$ sudo iptables -A FORWARD -j NFQUEUE -p TCP --sport 80 --queue-balance 0:3
--queue-cpu-fanout --queue-bypass
Chain FORWARD (policy ACCEPT)
target prot opt source destination
NFQUEUEtcp -- anywhere anywhere tcp spt:http
NFQUEUE balance 0:3 bypass
After this patch,
Chain FORWARD (policy ACCEPT)
target prot opt source destination
NFQUEUEtcp -- anywhere anywhere tcp spt:http
NFQUEUE balance 0:3 bypass cpu-fanout
Closes bugzilla entry: http://bugzilla.netfilter.org/show_bug.cgi?id=939
Suggested-by: Pablo Neira Ayuso
Signed-off-by: Shivani Bhardwaj
---
extensions/libxt_NFQUEUE.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQUEUE.c
index 8115457..0b5becc 100644
--- a/extensions/libxt_NFQUEUE.c
+++ b/extensions/libxt_NFQUEUE.c
@@ -99,7 +99,7 @@ static void NFQUEUE_parse_v2(struct xt_option_call *cb)
NFQUEUE_parse_v1(cb);
switch (cb->entry->id) {
case O_QUEUE_BYPASS:
- info->bypass = 1;
+ info->bypass |= NFQ_FLAG_BYPASS;
break;
}
}
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft v2] src: evaluate: Show error for fanout without balance
The idea of fanout option is to improve the performance by indexing CPU ID to map packets to the queues. This is used for load balancing. Fanout option is not required when there is a single queue specified. According to iptables, queue balance should be specified in order to use fanout. Following that, throw an error in nftables if the range of queues for load balancing is not specified with the fanout option. After this patch, $ sudo nft add rule ip filter forward counter queue num 0 fanout :1:46-46: Error: fanout requires queue num range to be specified add rule ip filter forward counter queue num 0 fanout ^ Signed-off-by: Shivani Bhardwaj --- Changes in v2: Update the description with error that is going to show up src/evaluate.c | 5 + 1 file changed, 5 insertions(+) diff --git a/src/evaluate.c b/src/evaluate.c index 473f014..f3fe13d 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2000,6 +2000,11 @@ static int stmt_evaluate_queue(struct eval_ctx *ctx, struct stmt *stmt) if (!expr_is_constant(stmt->queue.queue)) return expr_error(ctx->msgs, stmt->queue.queue, "queue number is not constant"); + if (stmt->queue.queue->ops->type != EXPR_RANGE && + (stmt->queue.flags & NFT_QUEUE_FLAG_CPU_FANOUT)) + return expr_error(ctx->msgs, stmt->queue.queue, + "fanout requires queue num range" + " to be specified"); } return 0; } -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH nft] src: evaluate: Show error for fanout without balance
On Thu, Apr 7, 2016 at 10:43 PM, Pablo Neira Ayuso wrote: > On Thu, Apr 07, 2016 at 03:06:40PM +0530, Shivani Bhardwaj wrote: >> The idea of fanout option is to improve the performance by indexing CPU >> ID to map packets to the queues. This is used for load balancing. >> Fanout option is not required when there is a single queue specified. >> >> According to iptables, queue balance should be specified in order to use >> fanout, following that, throw an error in nftables if the range of >> queues for load balancing is not specified with the fanout option. > > Curious, how does iptables behave when you pass fanout and a single > queue? > It throws an error: $ sudo iptables -A FORWARD -j NFQUEUE --queue-num 0 --queue-cpu-fanout iptables v1.6.0: NFQUEUE: option "--queue-cpu-fanout" also requires "--queue-balance". Try `iptables -h' or 'iptables --help' for more information. Since, queue-balance is done as queue num with a range in nftables, I thought it should follow the same routine as iptables. > Could you also include how the nft error output looks like after your > patch in your description? > Yes I'll do that. Thanks. > Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nft] src: evaluate: Show error for fanout without balance
The idea of fanout option is to improve the performance by indexing CPU ID to map packets to the queues. This is used for load balancing. Fanout option is not required when there is a single queue specified. According to iptables, queue balance should be specified in order to use fanout, following that, throw an error in nftables if the range of queues for load balancing is not specified with the fanout option. Signed-off-by: Shivani Bhardwaj --- src/evaluate.c | 5 + 1 file changed, 5 insertions(+) diff --git a/src/evaluate.c b/src/evaluate.c index 473f014..f3fe13d 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2000,6 +2000,11 @@ static int stmt_evaluate_queue(struct eval_ctx *ctx, struct stmt *stmt) if (!expr_is_constant(stmt->queue.queue)) return expr_error(ctx->msgs, stmt->queue.queue, "queue number is not constant"); + if (stmt->queue.queue->ops->type != EXPR_RANGE && + (stmt->queue.flags & NFT_QUEUE_FLAG_CPU_FANOUT)) + return expr_error(ctx->msgs, stmt->queue.queue, + "fanout requires queue num range" + " to be specified"); } return 0; } -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] doc: Complete the documentation of statements
Add documentation corresponding to LOG STATEMENT, REJECT STATEMENT, COUNTER STATEMENT, META STATEMENT, LIMIT STATEMENT, NAT STATEMENT, QUEUE STATEMENT. Signed-off-by: Shivani Bhardwaj --- doc/nft.xml | 188 +++- 1 file changed, 187 insertions(+), 1 deletion(-) diff --git a/doc/nft.xml b/doc/nft.xml index e4d227c..cec4dbf 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -2186,36 +2186,222 @@ filter input iif eth0 drop Log statement + A log statement is used to set logging attributes of a packet. Default log level is warn. + + LOG statement + + + + + + + Keyword + Description + Type + + + + + level + Level of logging + unsigned integer (32 bit), emerg, alert, crit, err, warn, notice, info, debug + + + prefix + Prefix log messages + string + + + + Reject statement + A reject statement is used to set an error packet response. The default error packet is port-unreachable. + + REJECT statement (ipv4) + + + + + + + Keyword + Description + Type + + + + + with icmp type + ICMP response to be sent to the host + unsigned integer (8 bit), net-unreachable, host-unreachable, prot-unreachable, port-unreachable, net-prohibited, host-prohibited, admin-prohibited + + + with + Used on rules which only match the TCP + tcp reset + + + + + + REJECT statement (ipv6) + + + + + + + Keyword + Description + Type
[PATCH v4] configure: Show support for connlabel
Add the --disable-connlabel option and the appropriate functionality
associated with it.
After this patch, iptables configuration shows up as:
Iptables Configuration:
IPv4 support: yes
IPv6 support: yes
Devel support:yes
IPQ support: no
Large file support: yes
BPF utils support:no
nfsynproxy util support: no
nftables support: yes
connlabel support:yes
Signed-off-by: Shivani Bhardwaj
---
Changes in v4:
Set enable_connlabel to "no" when package requirements are not
met
Changes in v3:
Remove check for libnfnetlink from the if block
Changes in v2:
Correct the option to disable-connlabel and add code to make it
work
configure.ac | 31 ++-
1 file changed, 22 insertions(+), 9 deletions(-)
diff --git a/configure.ac b/configure.ac
index 33a8f2d..12bffa9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -63,6 +63,10 @@ AC_ARG_WITH([pkgconfigdir],
AS_HELP_STRING([--with-pkgconfigdir=PATH],
AC_ARG_ENABLE([nftables],
AS_HELP_STRING([--disable-nftables], [Do not build nftables compat]),
[enable_nftables="$enableval"], [enable_nftables="yes"])
+AC_ARG_ENABLE([connlabel],
+ AS_HELP_STRING([--disable-connlabel],
+ [Do not build libnetfilter_conntrack]),
+ [enable_connlabel="$enableval"], [enable_connlabel="yes"])
libiptc_LDFLAGS2="";
AX_CHECK_LINKER_FLAGS([-Wl,--no-as-needed],
@@ -93,15 +97,6 @@ if test "$ac_cv_header_linux_ip_vs_h" != "yes"; then
blacklist_modules="$blacklist_modules ipvs";
fi;
-PKG_CHECK_MODULES([libnetfilter_conntrack], [libnetfilter_conntrack >= 1.0.4],
- [nfconntrack=1], [nfconntrack=0])
-AM_CONDITIONAL([HAVE_LIBNETFILTER_CONNTRACK], [test "$nfconntrack" = 1])
-
-if test "$nfconntrack" -ne 1; then
- blacklist_modules="$blacklist_modules connlabel";
- echo "WARNING: libnetfilter_conntrack not found, connlabel match will
not be built";
-fi;
-
AC_CHECK_SIZEOF([struct ip6_hdr], [], [#include ])
AM_CONDITIONAL([ENABLE_STATIC], [test "$enable_static" = "yes"])
@@ -114,6 +109,7 @@ AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" =
"yes"])
AM_CONDITIONAL([ENABLE_BPFC], [test "$enable_bpfc" = "yes"])
AM_CONDITIONAL([ENABLE_SYNCONF], [test "$enable_nfsynproxy" = "yes"])
AM_CONDITIONAL([ENABLE_NFTABLES], [test "$enable_nftables" = "yes"])
+AM_CONDITIONAL([ENABLE_CONNLABEL], [test "$enable_connlabel" = "yes"])
if test "x$enable_bpfc" = "xyes" || test "x$enable_nfsynproxy" = "xyes"; then
AC_CHECK_LIB(pcap, pcap_compile,, AC_MSG_ERROR(missing libpcap library
required by bpf compiler or nfsynproxy tool))
@@ -168,6 +164,22 @@ if test "$nftables" != 1; then
blacklist_a_modules="$blacklist_a_modules mangle"
fi
+if test "x$enable_connlabel" = "xyes"; then
+ PKG_CHECK_MODULES([libnetfilter_conntrack],
+ [libnetfilter_conntrack >= 1.0.4],
+ [nfconntrack=1], [nfconntrack=0])
+
+ if test "$nfconntrack" -ne 1; then
+ blacklist_modules="$blacklist_modules connlabel";
+ echo "WARNING: libnetfilter_conntrack not found, connlabel
match will not be built";
+ enable_connlabel = "no";
+ fi;
+else
+ blacklist_modules="$blacklist_modules connlabel";
+fi;
+
+AM_CONDITIONAL([HAVE_LIBNETFILTER_CONNTRACK], [test "$nfconntrack" = 1])
+
AC_SUBST([blacklist_modules])
AC_SUBST([blacklist_x_modules])
AC_SUBST([blacklist_b_modules])
@@ -243,6 +255,7 @@ Iptables Configuration:
BPF utils support: ${enable_bpfc}
nfsynproxy util support: ${enable_nfsynproxy}
nftables support:${enable_nftables}
+ connlabel support: ${enable_connlabel}
Build parameters:
Put plugins into executable (static):${enable_static}
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3] configure: Show support for connlabel
On Tue, Mar 15, 2016 at 6:06 AM, Pablo Neira Ayuso wrote: > On Sat, Mar 12, 2016 at 05:48:04PM +0530, Shivani Bhardwaj wrote: >> Add the --disable-connlabel option and the appropriate functionality >> associated with it. >> >> After this patch, iptables configuration shows up as: >> >> Iptables Configuration: >> IPv4 support: yes >> IPv6 support: yes >> Devel support:yes >> IPQ support: no >> Large file support: yes >> BPF utils support:no >> nfsynproxy util support: no >> nftables support: yes >> connlabel support: yes > > I think we are almost there, see below. > >> Signed-off-by: Shivani Bhardwaj >> --- >> Changes in v3: >> Remove check for libnfnetlink from the if block >> >> Changes in v2: >> Correct the option to disable-connlabel and add code to make it >> work >> >> configure.ac | 30 +- >> 1 file changed, 21 insertions(+), 9 deletions(-) >> >> diff --git a/configure.ac b/configure.ac >> index 33a8f2d..f9bc2a3 100644 >> --- a/configure.ac >> +++ b/configure.ac > [...] >> @@ -168,6 +164,21 @@ if test "$nftables" != 1; then >> blacklist_a_modules="$blacklist_a_modules mangle" >> fi >> >> +if test "x$enable_connlabel" = "xyes"; then >> + PKG_CHECK_MODULES([libnetfilter_conntrack], >> + [libnetfilter_conntrack >= 1.0.4], >> + [nfconntrack=1], [nfconntrack=0]) >> + >> + if test "$nfconntrack" -ne 1; then >> + blacklist_modules="$blacklist_modules connlabel"; >> + echo "WARNING: libnetfilter_conntrack not found, connlabel >> match will not be built"; > > Could you set enable_connlabel to "no" when this occurs so the banner > also displays that connlabel support has been skipped? > OK. Thanks. One question, in case of nftables, I see enable_nftables is nowhere set to "no", should that be added in case package requirements are not met? Same for bpfc and nfsynproxy. >> + fi; >> +else >> + blacklist_modules="$blacklist_modules connlabel"; >> +fi; -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v3] configure: Show support for connlabel
Add the --disable-connlabel option and the appropriate functionality
associated with it.
After this patch, iptables configuration shows up as:
Iptables Configuration:
IPv4 support: yes
IPv6 support: yes
Devel support:yes
IPQ support: no
Large file support: yes
BPF utils support:no
nfsynproxy util support: no
nftables support: yes
connlabel support:yes
Signed-off-by: Shivani Bhardwaj
---
Changes in v3:
Remove check for libnfnetlink from the if block
Changes in v2:
Correct the option to disable-connlabel and add code to make it
work
configure.ac | 30 +-
1 file changed, 21 insertions(+), 9 deletions(-)
diff --git a/configure.ac b/configure.ac
index 33a8f2d..f9bc2a3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -63,6 +63,10 @@ AC_ARG_WITH([pkgconfigdir],
AS_HELP_STRING([--with-pkgconfigdir=PATH],
AC_ARG_ENABLE([nftables],
AS_HELP_STRING([--disable-nftables], [Do not build nftables compat]),
[enable_nftables="$enableval"], [enable_nftables="yes"])
+AC_ARG_ENABLE([connlabel],
+ AS_HELP_STRING([--disable-connlabel],
+ [Do not build libnetfilter_conntrack]),
+ [enable_connlabel="$enableval"], [enable_connlabel="yes"])
libiptc_LDFLAGS2="";
AX_CHECK_LINKER_FLAGS([-Wl,--no-as-needed],
@@ -93,15 +97,6 @@ if test "$ac_cv_header_linux_ip_vs_h" != "yes"; then
blacklist_modules="$blacklist_modules ipvs";
fi;
-PKG_CHECK_MODULES([libnetfilter_conntrack], [libnetfilter_conntrack >= 1.0.4],
- [nfconntrack=1], [nfconntrack=0])
-AM_CONDITIONAL([HAVE_LIBNETFILTER_CONNTRACK], [test "$nfconntrack" = 1])
-
-if test "$nfconntrack" -ne 1; then
- blacklist_modules="$blacklist_modules connlabel";
- echo "WARNING: libnetfilter_conntrack not found, connlabel match will
not be built";
-fi;
-
AC_CHECK_SIZEOF([struct ip6_hdr], [], [#include ])
AM_CONDITIONAL([ENABLE_STATIC], [test "$enable_static" = "yes"])
@@ -114,6 +109,7 @@ AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" =
"yes"])
AM_CONDITIONAL([ENABLE_BPFC], [test "$enable_bpfc" = "yes"])
AM_CONDITIONAL([ENABLE_SYNCONF], [test "$enable_nfsynproxy" = "yes"])
AM_CONDITIONAL([ENABLE_NFTABLES], [test "$enable_nftables" = "yes"])
+AM_CONDITIONAL([ENABLE_CONNLABEL], [test "$enable_connlabel" = "yes"])
if test "x$enable_bpfc" = "xyes" || test "x$enable_nfsynproxy" = "xyes"; then
AC_CHECK_LIB(pcap, pcap_compile,, AC_MSG_ERROR(missing libpcap library
required by bpf compiler or nfsynproxy tool))
@@ -168,6 +164,21 @@ if test "$nftables" != 1; then
blacklist_a_modules="$blacklist_a_modules mangle"
fi
+if test "x$enable_connlabel" = "xyes"; then
+ PKG_CHECK_MODULES([libnetfilter_conntrack],
+ [libnetfilter_conntrack >= 1.0.4],
+ [nfconntrack=1], [nfconntrack=0])
+
+ if test "$nfconntrack" -ne 1; then
+ blacklist_modules="$blacklist_modules connlabel";
+ echo "WARNING: libnetfilter_conntrack not found, connlabel
match will not be built";
+ fi;
+else
+ blacklist_modules="$blacklist_modules connlabel";
+fi;
+
+AM_CONDITIONAL([HAVE_LIBNETFILTER_CONNTRACK], [test "$nfconntrack" = 1])
+
AC_SUBST([blacklist_modules])
AC_SUBST([blacklist_x_modules])
AC_SUBST([blacklist_b_modules])
@@ -243,6 +254,7 @@ Iptables Configuration:
BPF utils support: ${enable_bpfc}
nfsynproxy util support: ${enable_nfsynproxy}
nftables support:${enable_nftables}
+ connlabel support: ${enable_connlabel}
Build parameters:
Put plugins into executable (static):${enable_static}
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] extensions: libipt_LOG: Avoid to print the default log level in the translation
On Thu, Mar 10, 2016 at 11:45 PM, Laura Garcia Liebana wrote:
> Avoid to print the log level in the translation when the level is the
> default value.
>
> Example:
>
> $ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 10 -j LOG
> nft add rule ip filter INPUT icmp type != router-solicitation counter log
>
Looks good. Don't forget to send a patch for libip6t_LOG too.
Same is the case with reject as well. When I did the translations, I
left its default nature intact.
$ sudo ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip6 filter FORWARD tcp dport 22 counter reject with
icmpv6 type port-unreachable
Pablo, should this be corrected too?
Laura, may be you can send more patches depending on his response.
Thanks.
> Signed-off-by: Laura Garcia Liebana
> ---
> extensions/libipt_LOG.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c
> index f3875b6..216b1ca 100644
> --- a/extensions/libipt_LOG.c
> +++ b/extensions/libipt_LOG.c
> @@ -194,7 +194,8 @@ static int LOG_xlate(const struct xt_entry_target *target,
> xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix);
>
> for (i = 0; i < ARRAY_SIZE(ipt_log_xlate_names); ++i)
> - if (loginfo->level == ipt_log_xlate_names[i].level) {
> + if (loginfo->level != LOG_DEFAULT_LEVEL &&
> + loginfo->level == ipt_log_xlate_names[i].level) {
> xt_xlate_add(xl, "level %s ",
>ipt_log_xlate_names[i].name);
> break;
> --
> 2.7.0
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2] configure: Show support for connlabel
Add the --disable-connlabel option and the appropriate functionality
associated with it.
After this patch, iptables configuration shows up as:
Iptables Configuration:
IPv4 support: yes
IPv6 support: yes
Devel support:yes
IPQ support: no
Large file support: yes
BPF utils support:no
nfsynproxy util support: no
nftables support: yes
connlabel support:yes
Signed-off-by: Shivani Bhardwaj
---
Changes in v2:
Correct the option to disable-connlabel and add code to make it
work
configure.ac | 38 +-
1 file changed, 25 insertions(+), 13 deletions(-)
diff --git a/configure.ac b/configure.ac
index 33a8f2d..afc6845 100644
--- a/configure.ac
+++ b/configure.ac
@@ -63,6 +63,10 @@ AC_ARG_WITH([pkgconfigdir],
AS_HELP_STRING([--with-pkgconfigdir=PATH],
AC_ARG_ENABLE([nftables],
AS_HELP_STRING([--disable-nftables], [Do not build nftables compat]),
[enable_nftables="$enableval"], [enable_nftables="yes"])
+AC_ARG_ENABLE([connlabel],
+ AS_HELP_STRING([--disable-connlabel],
+ [Do not build libnetfilter_conntrack]),
+ [enable_connlabel="$enableval"], [enable_connlabel="yes"])
libiptc_LDFLAGS2="";
AX_CHECK_LINKER_FLAGS([-Wl,--no-as-needed],
@@ -93,15 +97,6 @@ if test "$ac_cv_header_linux_ip_vs_h" != "yes"; then
blacklist_modules="$blacklist_modules ipvs";
fi;
-PKG_CHECK_MODULES([libnetfilter_conntrack], [libnetfilter_conntrack >= 1.0.4],
- [nfconntrack=1], [nfconntrack=0])
-AM_CONDITIONAL([HAVE_LIBNETFILTER_CONNTRACK], [test "$nfconntrack" = 1])
-
-if test "$nfconntrack" -ne 1; then
- blacklist_modules="$blacklist_modules connlabel";
- echo "WARNING: libnetfilter_conntrack not found, connlabel match will
not be built";
-fi;
-
AC_CHECK_SIZEOF([struct ip6_hdr], [], [#include ])
AM_CONDITIONAL([ENABLE_STATIC], [test "$enable_static" = "yes"])
@@ -114,15 +109,12 @@ AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" =
"yes"])
AM_CONDITIONAL([ENABLE_BPFC], [test "$enable_bpfc" = "yes"])
AM_CONDITIONAL([ENABLE_SYNCONF], [test "$enable_nfsynproxy" = "yes"])
AM_CONDITIONAL([ENABLE_NFTABLES], [test "$enable_nftables" = "yes"])
+AM_CONDITIONAL([ENABLE_CONNLABEL], [test "$enable_connlabel" = "yes"])
if test "x$enable_bpfc" = "xyes" || test "x$enable_nfsynproxy" = "xyes"; then
AC_CHECK_LIB(pcap, pcap_compile,, AC_MSG_ERROR(missing libpcap library
required by bpf compiler or nfsynproxy tool))
fi
-PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0],
- [nfnetlink=1], [nfnetlink=0])
-AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1])
-
if test "x$enable_nftables" = "xyes"; then
PKG_CHECK_MODULES([libmnl], [libmnl >= 1.0], [mnl=1], [mnl=0])
@@ -163,6 +155,25 @@ fi
AM_CONDITIONAL([HAVE_LIBMNL], [test "$mnl" = 1])
AM_CONDITIONAL([HAVE_LIBNFTNL], [test "$nftables" = 1])
+if test "x$enable_connlabel" = "xyes"; then
+ PKG_CHECK_MODULES([libnetfilter_conntrack],
+ [libnetfilter_conntrack >= 1.0.4],
+ [nfconntrack=1], [nfconntrack=0])
+
+ if test "$nfconntrack" -ne 1; then
+ blacklist_modules="$blacklist_modules connlabel";
+ echo "WARNING: libnetfilter_conntrack not found, connlabel
match will not be built";
+ fi;
+
+ PKG_CHECK_MODULES([libnfnetlink], [libnfnetlink >= 1.0],
+ [nfnetlink=1], [nfnetlink=0])
+else
+ blacklist_modules="$blacklist_modules connlabel";
+fi;
+
+AM_CONDITIONAL([HAVE_LIBNETFILTER_CONNTRACK], [test "$nfconntrack" = 1])
+AM_CONDITIONAL([HAVE_LIBNFNETLINK], [test "$nfnetlink" = 1])
+
if test "$nftables" != 1; then
blacklist_b_modules="$blacklist_b_modules limit mark nflog mangle"
blacklist_a_modules="$blacklist_a_modules mangle"
@@ -243,6 +254,7 @@ Iptables Configuration:
BPF utils support: ${enable_bpfc}
nfsynproxy util support: ${enable_nfsynproxy}
nftables support:${enable_nftables}
+ connlabel support: ${enable_connlabel}
Build parameters:
Put plugins into executable (static):${enable_static}
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCHv2] extensions: libipt_icmp: Add translation to nft
On Mon, Mar 7, 2016 at 11:34 PM, Laura Garcia wrote:
> On Mon, Mar 07, 2016 at 06:14:08PM +0100, Pablo Neira Ayuso wrote:
>> On Sun, Mar 06, 2016 at 11:24:44PM +0100, Laura Garcia Liebana wrote:
>> > Add translation for icmp to nftables. Not supported types in nftables
>> > are: any, network-unreachable, host-unreachable, protocol-unreachable,
>> > port-unreachable, fragmentation-needed, source-route-failed,
>> > network-unknown, host-unknown, network-prohibited, host-prohibited,
>> > TOS-network-unreachable, TOS-host-unreachable, communication-prohibited,
>> > host-precedence-violation, precedence-cutoff, network-redirect,
>> > host-redirect, TOS-network-redirect, TOS-host-redirect,
>> > router-advertisement, router-solicitation, ttl-zero-during-transit,
>> > ttl-zero-during-reassembly, ip-header-bad and required-option-missing.
>> >
>> > Examples:
>> >
>> > $ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type
>> > echo-reply -j LOG
>> > nft add rule ip filter INPUT icmp type echo-reply counter log level warn
>> >
>> > $ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type 3 -j LOG
>> > nft add rule ip filter INPUT icmp type destination-unreachable counter log
>> > level warn
>> >
>> > $ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j LOG
>> > nft add rule ip filter INPUT icmp type != destination-unreachable counter
>> > log level warn
>> >
>> > Signed-off-by: Laura Garcia Liebana
>> > ---
>> > v2:
>> > - Detection of not supported types in nftables, as Shivani suggested.
>> >
>> > extensions/libipt_icmp.c | 46
>> > +-
>> > 1 file changed, 45 insertions(+), 1 deletion(-)
>> >
>> > diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
>> > index 666e7da..89eb36e 100644
>> > --- a/extensions/libipt_icmp.c
>> > +++ b/extensions/libipt_icmp.c
>> > @@ -218,7 +218,7 @@ static void print_icmptype(uint8_t type,
>> > }
>> >
>> > static void icmp_print(const void *ip, const struct xt_entry_match *match,
>> > - int numeric)
>> > + int numeric)
>> > {
>> > const struct ipt_icmp *icmp = (struct ipt_icmp *)match->data;
>> >
>> > @@ -249,6 +249,49 @@ static void icmp_save(const void *ip, const struct
>> > xt_entry_match *match)
>> > }
>> > }
>> >
>> > +static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int
>> > icmptype,
>> > +unsigned int code_min, unsigned int code_max)
>> > +{
>> > + unsigned int i;
>> > +
>> > + if (code_min == code_max)
>> > + return 0;
>> > +
>> > + switch (icmptype) {
>> > + case 0xFF:
>> > + case 9:
>> > + case 10:
>>
>> Why are we skipping these here?
>>
>
> These are types which doesn't seem to be supported by nftables: any,
> router-advertisement and router-solicitation, so in this case we would
> return a 0 in order to indicate that the translation is not supported.
>
>> > + return 0;
>> > + default:
>> > + for (i = 0; ARRAY_SIZE(icmp_codes); ++i)
>>
>> Missing bracket here.
>>
>> > + if (icmp_codes[i].type == icmptype &&
>> > + icmp_codes[i].code_min == code_min &&
>> > + icmp_codes[i].code_max == code_max)
>> > + break;
>> > +
>> > + xt_xlate_add(xl, icmp_codes[i].name);
>>
>> Same thing. But as I said in the previous patch, are you sure you need
>> this code snippet above at this stage?
>>
>
> The brackets are not missing here, sorry for the confusion. Inside the for
> statement we only have the condition. Just the xt_late_add function
> indentation is not correct.
>
> This code it's needed in order to translate from types numbers to type
> names, but we're ensuring after that which types names are similar in
> iptables and nftables. For example, with this code we get:
>
> $ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type 3 -j LOG
> nft add rule ip filter INPUT icmp type destination-unreachable counter log
> level warn
>
> Without this code:
>
> $ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type 3 -j LOG
> nft add rule ip filter INPUT icmp type 3 counter log level warn
>
This looks good too. nftables is anyway going to convert it to its
name type (if available). See how this above rule shows up in the
chain:
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
icmp type destination-unreachable counter packets 0 bytes 0 log
}
}
But, anyway, wait for Pablo's comments about this.
>
>> > + }
>> > +
>> > + return 1;
>> > +}
>> > +
>> > +static int icmp_xlate(const struct xt_entry_match *match, struct xt_xlate
>> > *xl,
>> > + int numeric)
>> > +{
>> > + const struct ipt_icmp *info = (struct ipt_icmp *)match->data;
>> > +
>> > + xt_xlate_add(xl, "icmp type%s ",
>> > +(info->invflags & IPT_ICMP_INV) ? " !=" : "");
>> > +
Re: [PATCH] configure: Show support for connlabel
On Mon, Mar 7, 2016 at 11:30 PM, Pablo Neira Ayuso wrote: > On Mon, Mar 07, 2016 at 06:56:46PM +0100, Pablo Neira Ayuso wrote: >> On Mon, Mar 07, 2016 at 11:05:15PM +0530, Shivani Bhardwaj wrote: >> > Yes, I'll do that. >> > I need a bit of help here. >> > I followed some other modules for which support has been mentioned. >> > For example, libipq >> > When I first ran the configure script, it turned out >> > IPQ support: no >> > >> > I did next time with the option --enable-libipq >> > As expected, >> > IPQ support: yes >> > >> > But, I tried writing the output of both these cases to files and when >> > I looked up for difference between the two, turned out only this IPQ >> > support line was different among them, in any case following was shown >> > >> > config.status: creating libipq/Makefile >> > config.status: creating libipq/libipq.pc >> > >> > (because this is a part of AC_CONFIG_FILES) >> > >> > I do not see any code associated with libipq in configure.ac. >> > May be I'm not understanding how these options are working, could you >> > please clarify a bit? >> >> Those are the userspace bits for the old ip_queue support that was >> removed years ago, since NFQUEUE superseded for many years. >> >> commit d16cf20e2f2f13411eece7f7fb72c17d141c4a84 >> Author: Pablo Neira Ayuso >> Date: Tue May 8 19:45:28 2012 +0200 >> >> netfilter: remove ip_queue support >> >> You can still cd iptables/libipq and type 'make' to compile the >> this small userspace library since we have to keep new iptables >> releases running with old kernels. > > Oh sorry, now I see. > > This is always compiling libipq even with --disable-libipq, this looks > like a bug in our build infrastructure. Yes. Also, I see that devel should have --disable-devel instead of --enable-devel option and the appropriate functionality associated with it. Please correct me if I am wrong here. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] configure: Show support for connlabel
On Mon, Mar 7, 2016 at 7:39 PM, Pablo Neira Ayuso wrote:
> On Mon, Mar 07, 2016 at 02:44:47PM +0530, Shivani Bhardwaj wrote:
>> Add the --enable-connlabel option and show whether it is already
>> supported.
>>
>> After this patch, iptables configuration shows up as:
>>
>> Iptables Configuration:
>> IPv4 support: yes
>> IPv6 support: yes
>> Devel support: yes
>> IPQ support:no
>> Large file support: yes
>> BPF utils support: no
>> nfsynproxy util support:no
>> nftables support: yes
>> connlabel support: yes
>>
>> Signed-off-by: Shivani Bhardwaj
>> ---
>> configure.ac | 5 +
>> 1 file changed, 5 insertions(+)
>>
>> diff --git a/configure.ac b/configure.ac
>> index 33a8f2d..c946d69 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -63,6 +63,9 @@ AC_ARG_WITH([pkgconfigdir],
>> AS_HELP_STRING([--with-pkgconfigdir=PATH],
>> AC_ARG_ENABLE([nftables],
>> AS_HELP_STRING([--disable-nftables], [Do not build nftables compat]),
>> [enable_nftables="$enableval"], [enable_nftables="yes"])
>> +AC_ARG_ENABLE([connlabel],
>> + AS_HELP_STRING([--enable-connlabel], [Build libnetfilter_conntrack]),
>> + [enable_connlabel="$enableval"], [enable_connlabel="yes"])
>
> I think there is still some missing code here. If the user requests
> connlabel but libnetfilter_conntrack (including the right version) is
> not available, then I would fail and display an error since the user
> is explicitly asking for this.
>
> Otherwise, we can fall back on the existing behaviour: just lazy check
> if it's there and enable it in that case. If the library is not
> present, just skip this.
>
> The --disable-connlabel should also work, in that case, we should skip
> adding support for this.
>
> Can you look into fitting this logic into this? Thanks.
>
Yes, I'll do that.
I need a bit of help here.
I followed some other modules for which support has been mentioned.
For example, libipq
When I first ran the configure script, it turned out
IPQ support: no
I did next time with the option --enable-libipq
As expected,
IPQ support: yes
But, I tried writing the output of both these cases to files and when
I looked up for difference between the two, turned out only this IPQ
support line was different among them, in any case following was shown
config.status: creating libipq/Makefile
config.status: creating libipq/libipq.pc
(because this is a part of AC_CONFIG_FILES)
I do not see any code associated with libipq in configure.ac.
May be I'm not understanding how these options are working, could you
please clarify a bit?
Thank you.
>> libiptc_LDFLAGS2="";
>> AX_CHECK_LINKER_FLAGS([-Wl,--no-as-needed],
>> @@ -114,6 +117,7 @@ AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" =
>> "yes"])
>> AM_CONDITIONAL([ENABLE_BPFC], [test "$enable_bpfc" = "yes"])
>> AM_CONDITIONAL([ENABLE_SYNCONF], [test "$enable_nfsynproxy" = "yes"])
>> AM_CONDITIONAL([ENABLE_NFTABLES], [test "$enable_nftables" = "yes"])
>> +AM_CONDITIONAL([ENABLE_CONNLABEL], [test "$enable_connlabel" = "yes"])
>>
>> if test "x$enable_bpfc" = "xyes" || test "x$enable_nfsynproxy" = "xyes";
>> then
>> AC_CHECK_LIB(pcap, pcap_compile,, AC_MSG_ERROR(missing libpcap library
>> required by bpf compiler or nfsynproxy tool))
>> @@ -243,6 +247,7 @@ Iptables Configuration:
>>BPF utils support: ${enable_bpfc}
>>nfsynproxy util support: ${enable_nfsynproxy}
>>nftables support: ${enable_nftables}
>> + connlabel support: ${enable_connlabel}
>>
>> Build parameters:
>>Put plugins into executable (static): ${enable_static}
>> --
>> 1.9.1
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
>> the body of a message to majord...@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3] extensions: libxt_dccp: Add translation to nft
On Mon, Mar 7, 2016 at 8:09 PM, Pablo Neira Ayuso wrote:
> On Fri, Mar 04, 2016 at 03:31:45AM +0530, Shivani Bhardwaj wrote:
>> Add translation for dccp to nftables.
>>
>> Full translation of this match awaits the support for --dccp-option.
>>
>> Examples:
>>
>> $ sudo iptables-translate -A INPUT -p dccp -m dccp --sport 100
>> nft add rule ip filter INPUT dccp sport 100 counter
>>
>> $ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100:200
>> nft add rule ip filter INPUT dccp dport 100-200 counter
>>
>> $ sudo iptables-translate -A INPUT -p dccp -m dccp ! --dport 100
>> nft add rule ip filter INPUT dccp dport != 100 counter
>>
>> $ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100 --dccp-types
>> REQUEST,RESPONSE,DATA,ACK,DATAACK,CLOSEREQ,CLOSE,SYNC,SYNCACK
>> nft add rule ip filter INPUT dccp dport 100 dccp type {request, response,
>> data, ack, dataack, closereq, close, sync, syncack} counter
>>
>> Signed-off-by: Shivani Bhardwaj
>> ---
>> Changes in v3:
>> Return 0 if translation for dccp-option is demanded
>>
>> Changes in v2:
>> Fix bugs and remove invalid dccp type
>>
>> Following is not added in commit message as it is not translation code
>> issue:
>> * Since inversion of set is not possible in nftables, using dccp
>> with rules like
>> ...dccp type != {request, response}..
>> * dccp type reset
>> is going to throw errors.
>>
>> extensions/libxt_dccp.c | 92
>> +
>> 1 file changed, 92 insertions(+)
>>
>> diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
>> index a35cabb..0d4f369 100644
>> --- a/extensions/libxt_dccp.c
>> +++ b/extensions/libxt_dccp.c
>> @@ -277,6 +277,97 @@ static void dccp_save(const void *ip, const struct
>> xt_entry_match *match)
>> }
>> }
>>
>> +static const char *const dccp_pkt_types_xlate[] = {
>> + [DCCP_PKT_REQUEST] = "request",
>> + [DCCP_PKT_RESPONSE] = "response",
>> + [DCCP_PKT_DATA] = "data",
>> + [DCCP_PKT_ACK] = "ack",
>> + [DCCP_PKT_DATAACK] = "dataack",
>> + [DCCP_PKT_CLOSEREQ] = "closereq",
>> + [DCCP_PKT_CLOSE]= "close",
>> + [DCCP_PKT_RESET]= "reset",
>> + [DCCP_PKT_SYNC] = "sync",
>> + [DCCP_PKT_SYNCACK] = "syncack",
>> +};
>> +
>> +static int dccp_type_xlate(const struct xt_dccp_info *einfo,
>> +struct xt_xlate *xl)
>> +{
>> + bool have_type = false, set_need = false;
>> + uint16_t types = einfo->typemask;
>> +
>> + if (types & (1 << DCCP_PKT_INVALID))
>> + return 0;
>> +
>> + xt_xlate_add(xl, "dccp type%s ", einfo->invflags ? " !=" : "");
>> +
>> + if ((types != 0) && !(types == (types & -types))) {
>> + xt_xlate_add(xl, "{");
>> + set_need = true;
>> + }
>> +
>> + while (types) {
>> + unsigned int i;
>> +
>> + for (i = 0; !(types & (1 << i)); i++);
>> +
>> + if (have_type)
>> + xt_xlate_add(xl, ", ");
>> + else
>> + have_type = true;
>> +
>> + xt_xlate_add(xl, "%s", dccp_pkt_types_xlate[i]);
>> +
>> + types &= ~(1 << i);
>> + }
>> +
>> + if (set_need)
>> + xt_xlate_add(xl, "}");
>> +
>> + xt_xlate_add(xl, " ");
>> +
>> + return 1;
>> +}
>> +
>> +static int dccp_xlate(const struct xt_entry_match *match,
>> + struct xt_xlate *xl, int numeric)
>> +{
>> + const struct xt_dccp_info *einfo =
>> + (const struct xt_dccp_info *)match->data;
>> + int ret = 1;
>> +
>> + xt_xlate_add(xl, "dccp ");
>> +
>> + if (einfo->flags & XT_DCCP_SRC_PORTS) {
>> + if (einfo->spts[0] != einfo->spts[1])
>> + xt_xlate_add(xl, "sport%s %u-%u ",
>> + einfo->invflags & XT_DCCP_SRC_PORTS ? "
>> !=" : "",
>> + einfo->spts[0], einf
Re: [PATCH] extensions: libxt_connlabel: Add translation to nft
On Mon, Mar 7, 2016 at 7:02 PM, Pablo Neira Ayuso wrote: > On Mon, Mar 07, 2016 at 06:55:31PM +0530, Shivani Bhardwaj wrote: >> On Mon, Mar 7, 2016 at 6:35 PM, Pablo Neira Ayuso >> wrote: >> > On Sun, Mar 06, 2016 at 01:07:03AM +0100, Florian Westphal wrote: >> >> Shivani Bhardwaj wrote: >> >> > Add translation for connlabel to nftables. >> >> > Full translation for this match awaits the support for --set option. >> >> >> >> Hmm, I sent patches for that a while ago, don't know why they were >> >> not applied... Pablo? >> > >> > Please, push the the connlabel support to nft. >> > >> > We can probably introduce something like: >> > >> > ct connlabel bitset bar >> > >> > instead of: >> > >> > ct connlabel set ct connlabel | bar >> > >> > in a follow up patch, which looks more compact to me. We can accept >> > both syntax I'd say so we can introduce this without breaking >> > backward. >> >> Should I be waiting for this or send a v2 with the existing options? > > The current translation seems fine (unless Florian indicates > otherwise). We can incrementally improve this. Yes, Florian pointed that the translation corresponding to inversion is incorrect. So, I already need to fix that. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] extensions: libxt_connlabel: Add translation to nft
On Mon, Mar 7, 2016 at 6:35 PM, Pablo Neira Ayuso wrote: > On Sun, Mar 06, 2016 at 01:07:03AM +0100, Florian Westphal wrote: >> Shivani Bhardwaj wrote: >> > Add translation for connlabel to nftables. >> > Full translation for this match awaits the support for --set option. >> >> Hmm, I sent patches for that a while ago, don't know why they were >> not applied... Pablo? > > Please, push the the connlabel support to nft. > > We can probably introduce something like: > > ct connlabel bitset bar > > instead of: > > ct connlabel set ct connlabel | bar > > in a follow up patch, which looks more compact to me. We can accept > both syntax I'd say so we can introduce this without breaking > backward. Should I be waiting for this or send a v2 with the existing options? Please let me know. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] configure: Show support for connlabel
Add the --enable-connlabel option and show whether it is already
supported.
After this patch, iptables configuration shows up as:
Iptables Configuration:
IPv4 support: yes
IPv6 support: yes
Devel support:yes
IPQ support: no
Large file support: yes
BPF utils support:no
nfsynproxy util support: no
nftables support: yes
connlabel support:yes
Signed-off-by: Shivani Bhardwaj
---
configure.ac | 5 +
1 file changed, 5 insertions(+)
diff --git a/configure.ac b/configure.ac
index 33a8f2d..c946d69 100644
--- a/configure.ac
+++ b/configure.ac
@@ -63,6 +63,9 @@ AC_ARG_WITH([pkgconfigdir],
AS_HELP_STRING([--with-pkgconfigdir=PATH],
AC_ARG_ENABLE([nftables],
AS_HELP_STRING([--disable-nftables], [Do not build nftables compat]),
[enable_nftables="$enableval"], [enable_nftables="yes"])
+AC_ARG_ENABLE([connlabel],
+ AS_HELP_STRING([--enable-connlabel], [Build libnetfilter_conntrack]),
+ [enable_connlabel="$enableval"], [enable_connlabel="yes"])
libiptc_LDFLAGS2="";
AX_CHECK_LINKER_FLAGS([-Wl,--no-as-needed],
@@ -114,6 +117,7 @@ AM_CONDITIONAL([ENABLE_LIBIPQ], [test "$enable_libipq" =
"yes"])
AM_CONDITIONAL([ENABLE_BPFC], [test "$enable_bpfc" = "yes"])
AM_CONDITIONAL([ENABLE_SYNCONF], [test "$enable_nfsynproxy" = "yes"])
AM_CONDITIONAL([ENABLE_NFTABLES], [test "$enable_nftables" = "yes"])
+AM_CONDITIONAL([ENABLE_CONNLABEL], [test "$enable_connlabel" = "yes"])
if test "x$enable_bpfc" = "xyes" || test "x$enable_nfsynproxy" = "xyes"; then
AC_CHECK_LIB(pcap, pcap_compile,, AC_MSG_ERROR(missing libpcap library
required by bpf compiler or nfsynproxy tool))
@@ -243,6 +247,7 @@ Iptables Configuration:
BPF utils support: ${enable_bpfc}
nfsynproxy util support: ${enable_nfsynproxy}
nftables support:${enable_nftables}
+ connlabel support: ${enable_connlabel}
Build parameters:
Put plugins into executable (static):${enable_static}
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] extensions: libipt_icmp: Add translation to nft
On Sun, Mar 6, 2016 at 1:30 AM, Laura Garcia Liebana wrote:
> Add translation for icmp to nftables.
>
> Examples:
>
> $ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type any -j LOG
> nft add rule ip filter INPUT icmp type any counter log level warn
>
> $ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type 3/1 -j LOG
> nft add rule ip filter INPUT icmp type host-unreachable counter log level warn
>
> $ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j LOG
> nft add rule ip filter INPUT icmp type != destination-unreachable counter log
> level warn
>
Hi Laura,
There are some icmp types that nftables does not support, have you
tried adding up rules corresponding to all the packet types?
$ sudo nft add table filter
$ sudo nft add chain filter INPUT { type filter hook input priority 0\;}
$ sudo
Please consider finding out such packet types and mention about them
in commit message.
Same for icmpv6.
> Signed-off-by: Laura Garcia Liebana
> ---
> extensions/libipt_icmp.c | 33 -
> 1 file changed, 32 insertions(+), 1 deletion(-)
>
> diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
> index 666e7da..795172f 100644
> --- a/extensions/libipt_icmp.c
> +++ b/extensions/libipt_icmp.c
> @@ -218,7 +218,7 @@ static void print_icmptype(uint8_t type,
> }
>
> static void icmp_print(const void *ip, const struct xt_entry_match *match,
> - int numeric)
> + int numeric)
> {
> const struct ipt_icmp *icmp = (struct ipt_icmp *)match->data;
>
> @@ -249,6 +249,36 @@ static void icmp_save(const void *ip, const struct
> xt_entry_match *match)
> }
> }
>
> +static void type_xlate_print(struct xt_xlate *xl, unsigned int icmptype,
> +unsigned int code_min, unsigned int code_max)
> +{
> + unsigned int i;
> +
> + for (i = 0; ARRAY_SIZE(icmp_codes); i++)
Also, here you are using the array icmp_codes, this will give out the
same packet names as iptables. But, some packet names are different in
nftables. May be not in case of icmp but in case of icmp6. Please have
a look at this.
Thanks.
> + if (icmp_codes[i].type == icmptype &&
> + icmp_codes[i].code_min == code_min &&
> + icmp_codes[i].code_max == code_max)
> + break;
> +
> + xt_xlate_add(xl, icmp_codes[i].name);
> +}
> +
> +static int icmp_xlate(const struct xt_entry_match *match, struct xt_xlate
> *xl,
> + int numeric)
> +{
> + const struct ipt_icmp *info = (struct ipt_icmp *)match->data;
> +
> + xt_xlate_add(xl, "icmp type%s ",
> +(info->invflags & IPT_ICMP_INV) ? " !=" : "");
> +
> + type_xlate_print(xl, info->type, info->code[0], info->code[1]);
> +
> + xt_xlate_add(xl, " ");
> +
> + return 1;
> +}
> +
> +
> static struct xtables_match icmp_mt_reg = {
> .name = "icmp",
> .version= XTABLES_VERSION,
> @@ -261,6 +291,7 @@ static struct xtables_match icmp_mt_reg = {
> .save = icmp_save,
> .x6_parse = icmp_parse,
> .x6_options = icmp_opts,
> + .xlate = icmp_xlate,
> };
>
> void _init(void)
> --
> 2.7.0
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] extensions: libxt_connlabel: Add translation to nft
Add translation for connlabel to nftables.
Full translation for this match awaits the support for --set option.
Examples:
$ sudo iptables-translate -A INPUT -m connlabel --label eth0-in
nft add rule ip filter INPUT ct label eth0-in counter
$ sudo iptables-translate -A INPUT -m connlabel ! --label eth0-out
nft add rule ip filter INPUT ct label != eth0-out counter
Signed-off-by: Shivani Bhardwaj
---
extensions/libxt_connlabel.c | 23 +++
1 file changed, 23 insertions(+)
diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connlabel.c
index 1f83095..c3a96a6 100644
--- a/extensions/libxt_connlabel.c
+++ b/extensions/libxt_connlabel.c
@@ -118,6 +118,28 @@ connlabel_mt_save(const void *ip, const struct
xt_entry_match *match)
connlabel_mt_print_op(info, "--");
}
+static int
+connlabel_mt_xlate(const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_connlabel_mtinfo *info = (const void *)match->data;
+ const char *name = connlabel_get_name(info->bit);
+
+ if (name)
+ xt_xlate_add(xl, "ct label %s%s ",
+info->options & XT_CONNLABEL_OP_INVERT ? "!= " :
"",
+name);
+ else
+ xt_xlate_add(xl, "ct label %s%u ",
+info->options & XT_CONNLABEL_OP_INVERT ? "!= " :
"",
+info->bit);
+
+ if (info->options & XT_CONNLABEL_OP_SET)
+ return 0;
+
+ return 1;
+}
+
static struct xtables_match connlabel_mt_reg = {
.family= NFPROTO_UNSPEC,
.name = "connlabel",
@@ -129,6 +151,7 @@ static struct xtables_match connlabel_mt_reg = {
.save = connlabel_mt_save,
.x6_parse = connlabel_mt_parse,
.x6_options= connlabel_mt_opts,
+ .xlate = connlabel_mt_xlate,
};
void _init(void)
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v3] extensions: libxt_dccp: Add translation to nft
Add translation for dccp to nftables.
Full translation of this match awaits the support for --dccp-option.
Examples:
$ sudo iptables-translate -A INPUT -p dccp -m dccp --sport 100
nft add rule ip filter INPUT dccp sport 100 counter
$ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100:200
nft add rule ip filter INPUT dccp dport 100-200 counter
$ sudo iptables-translate -A INPUT -p dccp -m dccp ! --dport 100
nft add rule ip filter INPUT dccp dport != 100 counter
$ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100 --dccp-types
REQUEST,RESPONSE,DATA,ACK,DATAACK,CLOSEREQ,CLOSE,SYNC,SYNCACK
nft add rule ip filter INPUT dccp dport 100 dccp type {request, response, data,
ack, dataack, closereq, close, sync, syncack} counter
Signed-off-by: Shivani Bhardwaj
---
Changes in v3:
Return 0 if translation for dccp-option is demanded
Changes in v2:
Fix bugs and remove invalid dccp type
Following is not added in commit message as it is not translation code
issue:
* Since inversion of set is not possible in nftables, using dccp
with rules like
...dccp type != {request, response}..
* dccp type reset
is going to throw errors.
extensions/libxt_dccp.c | 92 +
1 file changed, 92 insertions(+)
diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
index a35cabb..0d4f369 100644
--- a/extensions/libxt_dccp.c
+++ b/extensions/libxt_dccp.c
@@ -277,6 +277,97 @@ static void dccp_save(const void *ip, const struct
xt_entry_match *match)
}
}
+static const char *const dccp_pkt_types_xlate[] = {
+ [DCCP_PKT_REQUEST] = "request",
+ [DCCP_PKT_RESPONSE] = "response",
+ [DCCP_PKT_DATA] = "data",
+ [DCCP_PKT_ACK] = "ack",
+ [DCCP_PKT_DATAACK] = "dataack",
+ [DCCP_PKT_CLOSEREQ] = "closereq",
+ [DCCP_PKT_CLOSE]= "close",
+ [DCCP_PKT_RESET]= "reset",
+ [DCCP_PKT_SYNC] = "sync",
+ [DCCP_PKT_SYNCACK] = "syncack",
+};
+
+static int dccp_type_xlate(const struct xt_dccp_info *einfo,
+ struct xt_xlate *xl)
+{
+ bool have_type = false, set_need = false;
+ uint16_t types = einfo->typemask;
+
+ if (types & (1 << DCCP_PKT_INVALID))
+ return 0;
+
+ xt_xlate_add(xl, "dccp type%s ", einfo->invflags ? " !=" : "");
+
+ if ((types != 0) && !(types == (types & -types))) {
+ xt_xlate_add(xl, "{");
+ set_need = true;
+ }
+
+ while (types) {
+ unsigned int i;
+
+ for (i = 0; !(types & (1 << i)); i++);
+
+ if (have_type)
+ xt_xlate_add(xl, ", ");
+ else
+ have_type = true;
+
+ xt_xlate_add(xl, "%s", dccp_pkt_types_xlate[i]);
+
+ types &= ~(1 << i);
+ }
+
+ if (set_need)
+ xt_xlate_add(xl, "}");
+
+ xt_xlate_add(xl, " ");
+
+ return 1;
+}
+
+static int dccp_xlate(const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_dccp_info *einfo =
+ (const struct xt_dccp_info *)match->data;
+ int ret = 1;
+
+ xt_xlate_add(xl, "dccp ");
+
+ if (einfo->flags & XT_DCCP_SRC_PORTS) {
+ if (einfo->spts[0] != einfo->spts[1])
+ xt_xlate_add(xl, "sport%s %u-%u ",
+einfo->invflags & XT_DCCP_SRC_PORTS ? "
!=" : "",
+einfo->spts[0], einfo->spts[1]);
+ else
+ xt_xlate_add(xl, "sport%s %u ",
+einfo->invflags & XT_DCCP_SRC_PORTS ? "
!=" : "",
+einfo->spts[0]);
+ }
+
+ if (einfo->flags & XT_DCCP_DEST_PORTS) {
+ if (einfo->dpts[0] != einfo->dpts[1])
+ xt_xlate_add(xl, "dport%s %u-%u ",
+einfo->invflags & XT_DCCP_DEST_PORTS ? "
!=" : "",
+einfo->dpts[0], einfo->dpts[1]);
+ else
+ xt_xlate_add(xl, "dport%s %u ",
+einfo->invflags & XT_DCCP_DEST_PORTS ? "
!=" : "",
+einfo->dpts[0]);
+ }
+
+ if (einfo->flags & XT_DCCP_TYPE)
+ ret = dccp_type_xlate(einfo, xl);
+
+ if (einfo->flag
[PATCH v2] extensions: libxt_dccp: Add translation to nft
Add translation for dccp to nftables.
Full translation of this match awaits the support for --dccp-option.
Examples:
$ sudo iptables-translate -A INPUT -p dccp -m dccp --sport 100
nft add rule ip filter INPUT dccp sport 100 counter
$ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100:200
nft add rule ip filter INPUT dccp dport 100-200 counter
$ sudo iptables-translate -A INPUT -p dccp -m dccp ! --dport 100
nft add rule ip filter INPUT dccp dport != 100 counter
$ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100 --dccp-types
REQUEST,RESPONSE,DATA,ACK,DATAACK,CLOSEREQ,CLOSE,SYNC,SYNCACK
nft add rule ip filter INPUT dccp dport 100 dccp type {request, response, data,
ack, dataack, closereq, close, sync, syncack} counter
Signed-off-by: Shivani Bhardwaj
---
Changes in v2:
Fix bugs and remove invalid dccp type
Following is not added in commit message as it is not translation code
issue:
* Since inversion of set is not possible in nftables, using dccp
with rules like
...dccp type != {request, response}..
* dccp type reset
is going to throw errors.
extensions/libxt_dccp.c | 89 +
1 file changed, 89 insertions(+)
diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
index a35cabb..8bccd7a 100644
--- a/extensions/libxt_dccp.c
+++ b/extensions/libxt_dccp.c
@@ -277,6 +277,94 @@ static void dccp_save(const void *ip, const struct
xt_entry_match *match)
}
}
+static const char *const dccp_pkt_types_xlate[] = {
+ [DCCP_PKT_REQUEST] = "request",
+ [DCCP_PKT_RESPONSE] = "response",
+ [DCCP_PKT_DATA] = "data",
+ [DCCP_PKT_ACK] = "ack",
+ [DCCP_PKT_DATAACK] = "dataack",
+ [DCCP_PKT_CLOSEREQ] = "closereq",
+ [DCCP_PKT_CLOSE]= "close",
+ [DCCP_PKT_RESET]= "reset",
+ [DCCP_PKT_SYNC] = "sync",
+ [DCCP_PKT_SYNCACK] = "syncack",
+};
+
+static int dccp_type_xlate(const struct xt_dccp_info *einfo,
+ struct xt_xlate *xl)
+{
+ bool have_type = false, set_need = false;
+ uint16_t types = einfo->typemask;
+
+ if (types & (1 << DCCP_PKT_INVALID))
+ return 0;
+
+ xt_xlate_add(xl, "dccp type%s ", einfo->invflags ? " !=" : "");
+
+ if ((types != 0) && !(types == (types & -types))) {
+ xt_xlate_add(xl, "{");
+ set_need = true;
+ }
+
+ while (types) {
+ unsigned int i;
+
+ for (i = 0; !(types & (1 << i)); i++);
+
+ if (have_type)
+ xt_xlate_add(xl, ", ");
+ else
+ have_type = true;
+
+ xt_xlate_add(xl, "%s", dccp_pkt_types_xlate[i]);
+
+ types &= ~(1 << i);
+ }
+
+ if (set_need)
+ xt_xlate_add(xl, "}");
+
+ xt_xlate_add(xl, " ");
+
+ return 1;
+}
+
+static int dccp_xlate(const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_dccp_info *einfo =
+ (const struct xt_dccp_info *)match->data;
+ int ret = 1;
+
+ xt_xlate_add(xl, "dccp ");
+
+ if (einfo->flags & XT_DCCP_SRC_PORTS) {
+ if (einfo->spts[0] != einfo->spts[1])
+ xt_xlate_add(xl, "sport%s %u-%u ",
+einfo->invflags & XT_DCCP_SRC_PORTS ? "
!=" : "",
+einfo->spts[0], einfo->spts[1]);
+ else
+ xt_xlate_add(xl, "sport%s %u ",
+einfo->invflags & XT_DCCP_SRC_PORTS ? "
!=" : "",
+einfo->spts[0]);
+ }
+
+ if (einfo->flags & XT_DCCP_DEST_PORTS) {
+ if (einfo->dpts[0] != einfo->dpts[1])
+ xt_xlate_add(xl, "dport%s %u-%u ",
+einfo->invflags & XT_DCCP_DEST_PORTS ? "
!=" : "",
+einfo->dpts[0], einfo->dpts[1]);
+ else
+ xt_xlate_add(xl, "dport%s %u ",
+einfo->invflags & XT_DCCP_DEST_PORTS ? "
!=" : "",
+einfo->dpts[0]);
+ }
+
+ if (einfo->flags & XT_DCCP_TYPE)
+ ret = dccp_type_xlate(einfo, xl);
+
+ return ret;
+}
static struct xtables_match dccp_match = {
.name = "dccp",
[PATCH v2] extensions: libxt_sctp: Add translation to nft
Add translation for sctp to nftables.
Full translation of this match awaits the support for --chunk-types
option.
Examples:
$ sudo iptables-translate -A INPUT -p sctp --dport 80 -j DROP
nft add rule ip filter INPUT sctp dport 80 counter drop
$ sudo iptables-translate -A INPUT -p sctp ! --sport 80:100 -j ACCEPT
nft add rule ip filter INPUT sctp sport != 80-100 counter accept
Signed-off-by: Shivani Bhardwaj
---
Changes in v2:
Add code to check if flags is set
extensions/libxt_sctp.c | 37 +
1 file changed, 37 insertions(+)
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index 56a4cdf..3b0b048 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -485,6 +485,42 @@ static void sctp_save(const void *ip, const struct
xt_entry_match *match)
}
}
+static int sctp_xlate(const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_sctp_info *einfo =
+ (const struct xt_sctp_info *)match->data;
+
+ if (!einfo->flags)
+ return 0;
+
+ xt_xlate_add(xl, "sctp ");
+
+ if (einfo->flags & XT_SCTP_SRC_PORTS) {
+ if (einfo->spts[0] != einfo->spts[1])
+ xt_xlate_add(xl, "sport%s %u-%u ",
+einfo->invflags & XT_SCTP_SRC_PORTS ? "
!=" : "",
+einfo->spts[0], einfo->spts[1]);
+ else
+ xt_xlate_add(xl, "sport%s %u ",
+einfo->invflags & XT_SCTP_SRC_PORTS ? "
!=" : "",
+einfo->spts[0]);
+ }
+
+ if (einfo->flags & XT_SCTP_DEST_PORTS) {
+ if (einfo->dpts[0] != einfo->dpts[1])
+ xt_xlate_add(xl, "dport%s %u-%u ",
+einfo->invflags & XT_SCTP_DEST_PORTS ? "
!=" : "",
+einfo->dpts[0], einfo->dpts[1]);
+ else
+ xt_xlate_add(xl, "dport%s %u ",
+einfo->invflags & XT_SCTP_DEST_PORTS ? "
!=" : "",
+einfo->dpts[0]);
+ }
+
+ return 1;
+}
+
static struct xtables_match sctp_match = {
.name = "sctp",
.family = NFPROTO_UNSPEC,
@@ -497,6 +533,7 @@ static struct xtables_match sctp_match = {
.print = sctp_print,
.save = sctp_save,
.extra_opts = sctp_opts,
+ .xlate = sctp_xlate,
};
void _init(void)
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2] extensions: libxt_owner: Add translation to nft
Add translation for module owner to nftables.
Full translation of this match awaits the support for --socket-exists
option.
Examples:
$ sudo iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner
--uid-owner root -j ACCEPT
nft add rule ip nat OUTPUT tcp dport 80 skuid 0 counter accept
$ sudo iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner
--gid-owner 0-10 -j ACCEPT
nft add rule ip nat OUTPUT tcp dport 80 skgid 0-10 counter accept
$ sudo iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner !
--uid-owner shivani -j ACCEPT
nft add rule ip nat OUTPUT tcp dport 80 skuid != 1000 counter accept
Signed-off-by: Shivani Bhardwaj
---
Changes in v2:
Add different functions for skuid and skgid
extensions/libxt_owner.c | 51
1 file changed, 51 insertions(+)
diff --git a/extensions/libxt_owner.c b/extensions/libxt_owner.c
index d9adc12..2085de8 100644
--- a/extensions/libxt_owner.c
+++ b/extensions/libxt_owner.c
@@ -492,6 +492,56 @@ static void owner_mt_save(const void *ip, const struct
xt_entry_match *match)
owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID,true);
}
+static int
+owner_mt_print_uid_xlate(const struct xt_owner_match_info *info,
+struct xt_xlate *xl)
+{
+ xt_xlate_add(xl, "skuid%s ", info->invert ? " !=" : "");
+
+ if (info->uid_min != info->uid_max)
+ xt_xlate_add(xl, "%u-%u ", (unsigned int)info->uid_min,
+(unsigned int)info->uid_max);
+ else
+ xt_xlate_add(xl, "%u ", (unsigned int)info->uid_min);
+
+ return 1;
+}
+
+static int
+owner_mt_print_gid_xlate(const struct xt_owner_match_info *info,
+struct xt_xlate *xl)
+{
+ xt_xlate_add(xl, "skgid%s ", info->invert ? " !=" : "");
+
+ if (info->gid_min != info->gid_max)
+ xt_xlate_add(xl, "%u-%u ", (unsigned int)info->gid_min,
+(unsigned int)info->gid_max);
+ else
+ xt_xlate_add(xl, "%u ", (unsigned int)info->gid_min);
+
+ return 1;
+}
+
+static int owner_mt_xlate(const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_owner_match_info *info = (void *)match->data;
+ int ret;
+
+ switch (info->match) {
+ case XT_OWNER_UID:
+ ret = owner_mt_print_uid_xlate(info, xl);
+ break;
+ case XT_OWNER_GID:
+ ret = owner_mt_print_gid_xlate(info, xl);
+ break;
+ default:
+ ret = 0;
+ }
+
+ return ret;
+}
+
static struct xtables_match owner_mt_reg[] = {
{
.version = XTABLES_VERSION,
@@ -534,6 +584,7 @@ static struct xtables_match owner_mt_reg[] = {
.print = owner_mt_print,
.save = owner_mt_save,
.x6_options= owner_mt_opts,
+ .xlate = owner_mt_xlate,
},
};
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] extensions: libxt_sctp: Add translation to nft
On Wed, Mar 2, 2016 at 5:24 PM, Pablo Neira Ayuso wrote: > On Wed, Mar 02, 2016 at 12:48:26PM +0100, Pablo Neira Ayuso wrote: >> On Wed, Mar 02, 2016 at 02:10:56AM +0530, Shivani Bhardwaj wrote: >> > Add translation for sctp to nftables. >> > Full translation of this match awaits the support for --chunk-types >> > option. >> >> Please, keep this documented in the wiki too so we remember there is a >> partial translation for this. >> >> > Examples: >> > >> > $ sudo iptables-translate -A INPUT -p sctp --dport 80 -j DROP >> > nft add rule ip filter INPUT sctp dport 80 counter drop >> > >> > $ sudo iptables-translate -A INPUT -p sctp ! --sport 80:100 -j ACCEPT >> > nft add rule ip filter INPUT sctp sport != 80-100 counter accept >> >> Applied, thanks Shivani. > > Sorry, I have to keep this back. > > This crazy thing seems to be valid: > > iptables -I INPUT -p sctp -m sctp > > and this will be translated as: > > nft add rule filter INPUT ip protocol sctp sctp dmesg shows me x_tables: ip_tables: sctp match: only valid for protocol 132 means sctp match is valid for sctp protocol. There should not be an sctp match (correct me if I am wrong here), should this be on bugzilla? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] extensions: libip6t_hbh: Add translation to nft
On Wed, Mar 2, 2016 at 5:19 PM, Pablo Neira Ayuso wrote:
> On Wed, Mar 02, 2016 at 03:22:43AM +0530, Shivani Bhardwaj wrote:
>> Add translation for module hop-by-hop to nftables.
>> Full translation of this match awaits the support for --hbh-opts option.
>>
>> Examples:
>>
>> $ sudo ip6tables-translate -A INPUT -m hbh --hbh-len 33
>> nft add rule ip6 filter INPUT hbh hdrlength 33 counter
>>
>> $ sudo ip6tables-translate -A INPUT -m hbh ! --hbh-len 33
>> nft add rule ip6 filter INPUT hbh hdrlength != 33 counter
>>
>> Signed-off-by: Shivani Bhardwaj
>> ---
>> extensions/libip6t_hbh.c | 17 +
>> 1 file changed, 17 insertions(+)
>>
>> diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
>> index c0389ed..f968036 100644
>> --- a/extensions/libip6t_hbh.c
>> +++ b/extensions/libip6t_hbh.c
>> @@ -164,6 +164,22 @@ static void hbh_save(const void *ip, const struct
>> xt_entry_match *match)
>> print_options(optinfo->optsnr, (uint16_t *)optinfo->opts);
>> }
>>
>> +static int hbh_xlate(const struct xt_entry_match *match,
>> + struct xt_xlate *xl, int numeric)
>> +{
>> + const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data;
>> +
>> + xt_xlate_add(xl, "hbh ");
>> +
>> + if (optinfo->flags & IP6T_OPTS_LEN) {
>
> If no header length is passed, then this will print:
>
> nft add rule ip6 filter INPUT hbh counter
>
What should be the rule generated in case none of the options is mentioned?
# iptables-translate -A INPUT -m hbh
?
> which will not work.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2] extensions: libip6t_MASQUERADE: Add translation to nft
Add translation for masquerade to nftables.
Examples:
$ sudo ip6tables-translate -t nat -A POSTROUTING -j MASQUERADE
nft add rule ip6 nat POSTROUTING counter masquerade
$ sudo ip6tables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE
--to-ports 10
nft add rule ip6 nat POSTROUTING ip6 nexthdr tcp counter masquerade to :10
$ sudo ip6tables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE
--to-ports 10-20 --random
nft add rule ip6 nat POSTROUTING ip6 nexthdr tcp counter masquerade to :10-20
random
Signed-off-by: Shivani Bhardwaj
---
Changes in v2:
Add code for masquerading port range selection
extensions/libip6t_MASQUERADE.c | 22 ++
1 file changed, 22 insertions(+)
diff --git a/extensions/libip6t_MASQUERADE.c b/extensions/libip6t_MASQUERADE.c
index eb9213e..5a309ac 100644
--- a/extensions/libip6t_MASQUERADE.c
+++ b/extensions/libip6t_MASQUERADE.c
@@ -131,6 +131,27 @@ MASQUERADE_save(const void *ip, const struct
xt_entry_target *target)
printf(" --random");
}
+static int
+MASQUERADE_xlate(const struct xt_entry_target *target,
+struct xt_xlate *xl, int numeric)
+{
+ const struct nf_nat_range *r = (const void *)target->data;
+
+ xt_xlate_add(xl, "masquerade");
+
+ if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
+ xt_xlate_add(xl, " to :%hu", ntohs(r->min_proto.tcp.port));
+ if (r->max_proto.tcp.port != r->min_proto.tcp.port)
+ xt_xlate_add(xl, "-%hu", ntohs(r->max_proto.tcp.port));
+ }
+
+ xt_xlate_add(xl, " ");
+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
+ xt_xlate_add(xl, "random ");
+
+ return 1;
+}
+
static struct xtables_target masquerade_tg_reg = {
.name = "MASQUERADE",
.version= XTABLES_VERSION,
@@ -142,6 +163,7 @@ static struct xtables_target masquerade_tg_reg = {
.print = MASQUERADE_print,
.save = MASQUERADE_save,
.x6_options = MASQUERADE_opts,
+ .xlate = MASQUERADE_xlate,
};
void _init(void)
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2] extensions: libipt_MASQUERADE: Add translation to nft
Add translation for masquerade to nftables.
Examples:
$ sudo iptables-translate -t nat -A POSTROUTING -j MASQUERADE
nft add rule ip nat POSTROUTING counter masquerade
$ sudo iptables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports
10
nft add rule ip nat POSTROUTING ip protocol tcp counter masquerade to :10
$ sudo iptables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports
10-20 --random
nft add rule ip nat POSTROUTING ip protocol tcp counter masquerade to :10-20
random
Signed-off-by: Shivani Bhardwaj
---
Changes in v2:
Add code for masquerade port range selection
extensions/libipt_MASQUERADE.c | 24
1 file changed, 24 insertions(+)
diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c
index ea07445..d1393c1 100644
--- a/extensions/libipt_MASQUERADE.c
+++ b/extensions/libipt_MASQUERADE.c
@@ -134,6 +134,29 @@ MASQUERADE_save(const void *ip, const struct
xt_entry_target *target)
printf(" --random");
}
+static int
+MASQUERADE_xlate(const struct xt_entry_target *target,
+struct xt_xlate *xl, int numeric)
+{
+ const struct nf_nat_ipv4_multi_range_compat *mr =
+ (const void *)target->data;
+ const struct nf_nat_ipv4_range *r = &mr->range[0];
+
+ xt_xlate_add(xl, "masquerade");
+
+ if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
+ xt_xlate_add(xl, " to :%hu", ntohs(r->min.tcp.port));
+ if (r->max.tcp.port != r->min.tcp.port)
+ xt_xlate_add(xl, "-%hu", ntohs(r->max.tcp.port));
+}
+
+ xt_xlate_add(xl, " ");
+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
+ xt_xlate_add(xl, "random ");
+
+ return 1;
+}
+
static struct xtables_target masquerade_tg_reg = {
.name = "MASQUERADE",
.version= XTABLES_VERSION,
@@ -146,6 +169,7 @@ static struct xtables_target masquerade_tg_reg = {
.print = MASQUERADE_print,
.save = MASQUERADE_save,
.x6_options = MASQUERADE_opts,
+ .xlate = MASQUERADE_xlate,
};
void _init(void)
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] extensions: libip6t_hbh: Add translation to nft
Add translation for module hop-by-hop to nftables.
Full translation of this match awaits the support for --hbh-opts option.
Examples:
$ sudo ip6tables-translate -A INPUT -m hbh --hbh-len 33
nft add rule ip6 filter INPUT hbh hdrlength 33 counter
$ sudo ip6tables-translate -A INPUT -m hbh ! --hbh-len 33
nft add rule ip6 filter INPUT hbh hdrlength != 33 counter
Signed-off-by: Shivani Bhardwaj
---
extensions/libip6t_hbh.c | 17 +
1 file changed, 17 insertions(+)
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c
index c0389ed..f968036 100644
--- a/extensions/libip6t_hbh.c
+++ b/extensions/libip6t_hbh.c
@@ -164,6 +164,22 @@ static void hbh_save(const void *ip, const struct
xt_entry_match *match)
print_options(optinfo->optsnr, (uint16_t *)optinfo->opts);
}
+static int hbh_xlate(const struct xt_entry_match *match,
+struct xt_xlate *xl, int numeric)
+{
+ const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data;
+
+ xt_xlate_add(xl, "hbh ");
+
+ if (optinfo->flags & IP6T_OPTS_LEN) {
+ xt_xlate_add(xl, "hdrlength%s %u ",
+optinfo->invflags & IP6T_OPTS_INV_LEN ? " !=" : "",
+optinfo->hdrlen);
+ }
+
+ return 1;
+}
+
static struct xtables_match hbh_mt6_reg = {
.name = "hbh",
.version= XTABLES_VERSION,
@@ -175,6 +191,7 @@ static struct xtables_match hbh_mt6_reg = {
.save = hbh_save,
.x6_parse = hbh_parse,
.x6_options = hbh_opts,
+ .xlate = hbh_xlate,
};
void
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] extensions: libxt_sctp: Add translation to nft
Add translation for sctp to nftables.
Full translation of this match awaits the support for --chunk-types
option.
Examples:
$ sudo iptables-translate -A INPUT -p sctp --dport 80 -j DROP
nft add rule ip filter INPUT sctp dport 80 counter drop
$ sudo iptables-translate -A INPUT -p sctp ! --sport 80:100 -j ACCEPT
nft add rule ip filter INPUT sctp sport != 80-100 counter accept
Signed-off-by: Shivani Bhardwaj
---
extensions/libxt_sctp.c | 34 ++
1 file changed, 34 insertions(+)
diff --git a/extensions/libxt_sctp.c b/extensions/libxt_sctp.c
index 56a4cdf..626e873 100644
--- a/extensions/libxt_sctp.c
+++ b/extensions/libxt_sctp.c
@@ -485,6 +485,39 @@ static void sctp_save(const void *ip, const struct
xt_entry_match *match)
}
}
+static int sctp_xlate(const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_sctp_info *einfo =
+ (const struct xt_sctp_info *)match->data;
+
+ xt_xlate_add(xl, "sctp ");
+
+ if (einfo->flags & XT_SCTP_SRC_PORTS) {
+ if (einfo->spts[0] != einfo->spts[1])
+ xt_xlate_add(xl, "sport%s %u-%u ",
+einfo->invflags & XT_SCTP_SRC_PORTS ? "
!=" : "",
+einfo->spts[0], einfo->spts[1]);
+ else
+ xt_xlate_add(xl, "sport%s %u ",
+einfo->invflags & XT_SCTP_SRC_PORTS ? "
!=" : "",
+einfo->spts[0]);
+ }
+
+ if (einfo->flags & XT_SCTP_DEST_PORTS) {
+ if (einfo->dpts[0] != einfo->dpts[1])
+ xt_xlate_add(xl, "dport%s %u-%u ",
+einfo->invflags & XT_SCTP_DEST_PORTS ? "
!=" : "",
+einfo->dpts[0], einfo->dpts[1]);
+ else
+ xt_xlate_add(xl, "dport%s %u ",
+einfo->invflags & XT_SCTP_DEST_PORTS ? "
!=" : "",
+einfo->dpts[0]);
+ }
+
+ return 1;
+}
+
static struct xtables_match sctp_match = {
.name = "sctp",
.family = NFPROTO_UNSPEC,
@@ -497,6 +530,7 @@ static struct xtables_match sctp_match = {
.print = sctp_print,
.save = sctp_save,
.extra_opts = sctp_opts,
+ .xlate = sctp_xlate,
};
void _init(void)
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] extensions: libxt_owner: Add translation to nft
Add translation for module owner to nftables.
Full translation of this match awaits the support for --socket-exists
option.
Examples:
$ sudo iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner
--uid-owner root -j ACCEPT
nft add rule ip nat OUTPUT tcp dport 80 skuid 0 counter accept
$ sudo iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner
--gid-owner 0-10 -j ACCEPT
nft add rule ip nat OUTPUT tcp dport 80 skgid 0-10 counter accept
$ sudo iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner !
--uid-owner shivani -j ACCEPT
nft add rule ip nat OUTPUT tcp dport 80 skuid != 1000 counter accept
Signed-off-by: Shivani Bhardwaj
---
extensions/libxt_owner.c | 57
1 file changed, 57 insertions(+)
diff --git a/extensions/libxt_owner.c b/extensions/libxt_owner.c
index d9adc12..d81080a 100644
--- a/extensions/libxt_owner.c
+++ b/extensions/libxt_owner.c
@@ -492,6 +492,62 @@ static void owner_mt_save(const void *ip, const struct
xt_entry_match *match)
owner_mt_print_item(info, "--gid-owner", XT_OWNER_GID,true);
}
+static void
+owner_mt_print_item_xlate(const struct xt_owner_match_info *info,
+ const char *label, uint8_t flag,
+ struct xt_xlate *xl, bool numeric)
+{
+ if (!(info->match & flag))
+ return;
+
+ xt_xlate_add(xl, "%s%s", label, info->invert & flag ? "!= " : "");
+
+ switch (info->match & flag) {
+ case XT_OWNER_UID:
+ if (info->uid_min != info->uid_max) {
+ xt_xlate_add(xl, "%u-%u ", (unsigned int)info->uid_min,
+(unsigned int)info->uid_max);
+ break;
+ } else if (!numeric) {
+ const struct passwd *pwd = getpwuid(info->uid_min);
+
+ if (pwd != NULL && pwd->pw_name != NULL) {
+ xt_xlate_add(xl, " %s", pwd->pw_name);
+ break;
+ }
+ }
+ xt_xlate_add(xl, "%u ", (unsigned int)info->uid_min);
+ break;
+
+ case XT_OWNER_GID:
+ if (info->gid_min != info->gid_max) {
+ xt_xlate_add(xl, "%u-%u ", (unsigned int)info->gid_min,
+(unsigned int)info->gid_max);
+ break;
+ } else if (!numeric) {
+ const struct group *grp = getgrgid(info->gid_min);
+
+ if (grp != NULL && grp->gr_name != NULL) {
+ xt_xlate_add(xl, "%s ", grp->gr_name);
+ break;
+ }
+ }
+ xt_xlate_add(xl, "%u ", (unsigned int)info->gid_min);
+ break;
+ }
+}
+
+static int owner_mt_xlate(const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_owner_match_info *info = (void *)match->data;
+
+ owner_mt_print_item_xlate(info, "skuid ", XT_OWNER_UID, xl, true);
+ owner_mt_print_item_xlate(info, "skgid ", XT_OWNER_GID, xl, true);
+
+ return 1;
+}
+
static struct xtables_match owner_mt_reg[] = {
{
.version = XTABLES_VERSION,
@@ -534,6 +590,7 @@ static struct xtables_match owner_mt_reg[] = {
.print = owner_mt_print,
.save = owner_mt_save,
.x6_options= owner_mt_opts,
+ .xlate = owner_mt_xlate,
},
};
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] extensions: libip6t_MASQUERADE: Add translation to nft
Add translation for target masquerade to nftables.
Full translation of this target awaits the support for --to-ports
option.
Examples:
$ sudo ip6tables-translate -t nat -A POSTROUTING -o eth0 -j MASQUERADE
nft add rule ip6 nat POSTROUTING oifname eth0 counter masquerade
$ sudo ip6tables-translate -t nat -A POSTROUTING -j MASQUERADE --random
nft add rule ip6 nat POSTROUTING counter masquerade random
Signed-off-by: Shivani Bhardwaj
---
extensions/libip6t_MASQUERADE.c | 15 +++
1 file changed, 15 insertions(+)
diff --git a/extensions/libip6t_MASQUERADE.c b/extensions/libip6t_MASQUERADE.c
index eb9213e..325cdcd 100644
--- a/extensions/libip6t_MASQUERADE.c
+++ b/extensions/libip6t_MASQUERADE.c
@@ -131,6 +131,20 @@ MASQUERADE_save(const void *ip, const struct
xt_entry_target *target)
printf(" --random");
}
+static int
+MASQUERADE_xlate(const struct xt_entry_target *target,
+struct xt_xlate *xl, int numeric)
+{
+ const struct nf_nat_range *r = (const void *)target->data;
+
+ xt_xlate_add(xl, "masquerade ");
+
+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
+ xt_xlate_add(xl, "random ");
+
+ return 1;
+}
+
static struct xtables_target masquerade_tg_reg = {
.name = "MASQUERADE",
.version= XTABLES_VERSION,
@@ -142,6 +156,7 @@ static struct xtables_target masquerade_tg_reg = {
.print = MASQUERADE_print,
.save = MASQUERADE_save,
.x6_options = MASQUERADE_opts,
+ .xlate = MASQUERADE_xlate,
};
void _init(void)
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] extensions: libipt_MASQUERADE: Add translation to nft
Add translation for target MASQUERADE to nftables.
Full translation of this target awaits the support for --to-ports option.
Examples:
$ sudo iptables-translate -t nat -A POSTROUTING -o eth0 -j MASQUERADE
nft add rule ip nat POSTROUTING oifname eth0 counter masquerade
$ sudo iptables-translate -t nat -A POSTROUTING -j MASQUERADE --random
nft add rule ip nat POSTROUTING counter masquerade random
Signed-off-by: Shivani Bhardwaj
---
extensions/libipt_MASQUERADE.c | 17 +
1 file changed, 17 insertions(+)
diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c
index ea07445..1dc8853 100644
--- a/extensions/libipt_MASQUERADE.c
+++ b/extensions/libipt_MASQUERADE.c
@@ -134,6 +134,22 @@ MASQUERADE_save(const void *ip, const struct
xt_entry_target *target)
printf(" --random");
}
+static int
+MASQUERADE_xlate(const struct xt_entry_target *target,
+struct xt_xlate *xl, int numeric)
+{
+ const struct nf_nat_ipv4_multi_range_compat *mr =
+ (const void *)target->data;
+ const struct nf_nat_ipv4_range *r = &mr->range[0];
+
+ xt_xlate_add(xl, "masquerade ");
+
+ if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
+ xt_xlate_add(xl, "random ");
+
+ return 1;
+}
+
static struct xtables_target masquerade_tg_reg = {
.name = "MASQUERADE",
.version= XTABLES_VERSION,
@@ -146,6 +162,7 @@ static struct xtables_target masquerade_tg_reg = {
.print = MASQUERADE_print,
.save = MASQUERADE_save,
.x6_options = MASQUERADE_opts,
+ .xlate = MASQUERADE_xlate,
};
void _init(void)
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] src: proto: Add missing packet type
On Tue, Mar 1, 2016 at 6:47 PM, Florian Westphal wrote:
> Shivani Bhardwaj wrote:
>> Add missing packet type "invalid" for DCCP.
>>
>> Signed-off-by: Shivani Bhardwaj
>> ---
>> src/proto.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/src/proto.c b/src/proto.c
>> index 0ed98ed..4d049f5 100644
>> --- a/src/proto.c
>> +++ b/src/proto.c
>> @@ -443,6 +443,7 @@ static const struct symbol_table dccp_pkttype_tbl = {
>> SYMBOL("reset", DCCP_PKT_RESET),
>> SYMBOL("sync", DCCP_PKT_SYNC),
>> SYMBOL("syncack", DCCP_PKT_SYNCACK),
>> + SYMBOL("invalid", DCCP_PKT_INVALID),
>
> I don't think this is a good idea -- when user asks to match
> 'invalid' then this will check type == DCCP_PKT_INVALID; however
> the correct way would be to ask for type '> synack' (i.e.,
> outside of the range of types specified).
OK. So, should this be removed from the enum dccp_pkt_type as well?
And, if following iptables rules, one tries to get code corresponding
to dccp type invalid using iptables-translate utility, then the
corresponding nft rule should be "dccp type gt syncack". Please
correct me if I'm wrong here.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] extensions: libxt_dccp: Add translation to nft
Add translation for dccp to nftables.
Full translation of this match awaits the support for --dccp-option.
Also, since inversion of set is not possible in nftables, using dccp
with rules like
...dccp type != {request, response}..
is going to throw errors.
Examples:
$ sudo iptables-translate -A INPUT -p dccp -m dccp --sport 100
nft add rule ip filter INPUT dccp sport 100 counter
$ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100:200
nft add rule ip filter INPUT dccp dport 100-200 counter
$ sudo iptables-translate -A INPUT -p dccp -m dccp ! --dport 100
nft add rule ip filter INPUT dccp dport != 100 counter
$ sudo iptables-translate -A INPUT -p dccp -m dccp --dccp-type REQUEST,RESPONSE
nft add rule ip filter INPUT dccp type {request, response} counter
Signed-off-by: Shivani Bhardwaj
---
extensions/libxt_dccp.c | 88 +
1 file changed, 88 insertions(+)
diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
index a35cabb..27dd625 100644
--- a/extensions/libxt_dccp.c
+++ b/extensions/libxt_dccp.c
@@ -277,6 +277,93 @@ static void dccp_save(const void *ip, const struct
xt_entry_match *match)
}
}
+static const char *const dccp_pkt_types_xlate[] = {
+ [DCCP_PKT_REQUEST] = "request",
+ [DCCP_PKT_RESPONSE] = "response",
+ [DCCP_PKT_DATA] = "data",
+ [DCCP_PKT_ACK] = "ack",
+ [DCCP_PKT_DATAACK] = "dataack",
+ [DCCP_PKT_CLOSEREQ] = "closereq",
+ [DCCP_PKT_CLOSE]= "close",
+ [DCCP_PKT_RESET]= "reset",
+ [DCCP_PKT_SYNC] = "sync",
+ [DCCP_PKT_SYNCACK] = "syncack",
+ [DCCP_PKT_INVALID] = "invalid",
+};
+
+static void
+print_types_xlate(uint16_t types, struct xt_xlate *xl, int numeric)
+{
+ bool have_type = false, set_need = false;
+
+ if (types > 1) {
+ xt_xlate_add(xl, "{");
+ set_need = true;
+ }
+
+ while (types) {
+ unsigned int i;
+
+ for (i = 0; !(types & (1 << i)); i++);
+
+ if (have_type)
+ xt_xlate_add(xl, ", ");
+ else
+ have_type = true;
+
+ if (numeric)
+ xt_xlate_add(xl, "%u", i);
+ else
+ xt_xlate_add(xl, "%s", dccp_pkt_types_xlate[i]);
+
+ types &= ~(1 << i);
+ }
+
+ if (set_need)
+ xt_xlate_add(xl, "}");
+
+ xt_xlate_add(xl, " ");
+}
+
+static int dccp_xlate(const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_dccp_info *einfo =
+ (const struct xt_dccp_info *)match->data;
+
+ xt_xlate_add(xl, "dccp ");
+
+ if (einfo->flags & XT_DCCP_SRC_PORTS) {
+ if (einfo->spts[0] != einfo->spts[1])
+ xt_xlate_add(xl, "sport%s %u-%u ",
+einfo->invflags & XT_DCCP_SRC_PORTS ? "
!=" : "",
+einfo->spts[0], einfo->spts[1]);
+ else
+ xt_xlate_add(xl, "sport%s %u ",
+einfo->invflags & XT_DCCP_SRC_PORTS ? "
!=" : "",
+einfo->spts[0]);
+ }
+
+ if (einfo->flags & XT_DCCP_DEST_PORTS) {
+ if (einfo->dpts[0] != einfo->dpts[1])
+ xt_xlate_add(xl, "dport%s %u-%u ",
+einfo->invflags & XT_DCCP_DEST_PORTS ? "
!=" : "",
+einfo->dpts[0], einfo->dpts[1]);
+ else
+ xt_xlate_add(xl, "dport%s %u ",
+einfo->invflags & XT_DCCP_DEST_PORTS ? "
!=" : "",
+einfo->dpts[0]);
+ }
+
+ if (einfo->flags & XT_DCCP_TYPE) {
+ xt_xlate_add(xl, "type%s ",
+einfo->invflags & XT_DCCP_TYPE ? " !=" : "");
+ print_types_xlate(einfo->typemask, xl, 0);
+ }
+
+ return 1;
+}
+
static struct xtables_match dccp_match = {
.name = "dccp",
.family = NFPROTO_UNSPEC,
@@ -288,6 +375,7 @@ static struct xtables_match dccp_match = {
.save = dccp_save,
.x6_parse = dccp_parse,
.x6_options = dccp_opts,
+ .xlate = dccp_xlate,
};
void _init(void)
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] src: proto: Add missing packet type
Add missing packet type "invalid" for DCCP.
Signed-off-by: Shivani Bhardwaj
---
src/proto.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/proto.c b/src/proto.c
index 0ed98ed..4d049f5 100644
--- a/src/proto.c
+++ b/src/proto.c
@@ -443,6 +443,7 @@ static const struct symbol_table dccp_pkttype_tbl = {
SYMBOL("reset", DCCP_PKT_RESET),
SYMBOL("sync", DCCP_PKT_SYNC),
SYMBOL("syncack", DCCP_PKT_SYNCACK),
+ SYMBOL("invalid", DCCP_PKT_INVALID),
SYMBOL_LIST_END
},
};
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [Outreachy kernel] [PATCH] extensions: libxt_statistic: Add translation to nft
On Tue, Mar 1, 2016 at 2:52 AM, Laura Garcia Liebana wrote:
Hi Laura,
> Add translation for random to nftables.
>
Here, you are providing translation for module statistic, random is
just a mode for matching the rule. Please make sure to use correct
module name in the commit message next time.
> Examples:
>
> $ iptables-translate -A INPUT -m statistic --mode random --probability
> 0.1 -j ACCEPT
> nft add rule ip filter INPUT meta random 0.109 counter accept
>
> $ iptables-translate -A INPUT -m statistic --mode random ! --probability
> 0.1 -j ACCEPT
> nft add rule ip filter INPUT meta random != 0.109 counter accept
>
The match statistic is not yet supported in nftables, so these
translations are not going to work. You can track the supported
extensions here:
http://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables,
you can edit any discrepancies you find on this page.
> Signed-off-by: Laura Garcia Liebana
> ---
> extensions/libxt_statistic.c | 15 +++
> 1 file changed, 15 insertions(+)
>
> diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c
> index b6ae5f5..95d588c 100644
> --- a/extensions/libxt_statistic.c
> +++ b/extensions/libxt_statistic.c
> @@ -133,6 +133,20 @@ static void statistic_save(const void *ip, const struct
> xt_entry_match *match)
> print_match(info, "--");
> }
>
> +static int statistic_xlate(const struct xt_entry_match *match,
> + struct xt_xlate *xl, int numeric)
> +{
> + const struct xt_statistic_info *info = (void *)match->data;
> +
> + if (info->mode == XT_STATISTIC_MODE_RANDOM) {
> + xt_xlate_add(xl, "meta random%s %.11f ",
> +(info->flags & XT_STATISTIC_INVERT) ? " !=" : "",
> +1.0 * info->u.random.probability / 0x8000);
> + }
> +
> + return 1;
> +}
> +
> static struct xtables_match statistic_match = {
> .family = NFPROTO_UNSPEC,
> .name = "statistic",
> @@ -145,6 +159,7 @@ static struct xtables_match statistic_match = {
> .print = statistic_print,
> .save = statistic_save,
> .x6_options = statistic_opts,
> + .xlate = statistic_xlate,
> };
>
The way you've written the code to carry out the translation is correct.
Please make sure to check your patches with checkpatch to avoid coding
style errors.
Thanks,
Shivani
> void _init(void)
> --
> 2.7.0
>
> --
> You received this message because you are subscribed to the Google Groups
> "outreachy-kernel" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to outreachy-kernel+unsubscr...@googlegroups.com.
> To post to this group, send email to outreachy-ker...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/outreachy-kernel/20160229212216.GA29706%40sonyv.
> For more options, visit https://groups.google.com/d/optout.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] src: netlink_delinearize: Fix datatype for len
On Mon, Feb 29, 2016 at 3:36 PM, Florian Westphal wrote:
> Shivani Bhardwaj wrote:
>> Change the data type of len from unsigned int to int in order to make
>> it valid for checks like
>>
>> if (len < 0)
>>
>> The issue was brought into attention by the unexplained behavior of
>> frag with frag-off. Bugzilla entry:
>> https://bugzilla.netfilter.org/show_bug.cgi?id=935
>>
>> This patch fixes this bug, however there are still issues with frag
>> that need to be fixed.
>
> exthdr (frag) seems to have several issues:
>
> - we should reject exthdr and only allow it with ipv6.
> - for inet/bridge, we should also inject ipv6 dependency
> - some exthdrs (frag for instance) have odd bit lengths
> and need mask/shift instructions.
>
> For example, in your example rule we generate:
>[ exthdr load 1b @ 44 + 2 => reg 1 ]
>[ cmp eq reg 1 0x2100 ]
>
> But thats not correct -- we truncated the load to one byte.
> Instead we should have loaded 2 bytes and then masked off the extra 3bits.
>
> I'll work on this.
In the chain this rule shows up as
chain input {
type filter hook input priority 0; policy accept;
frag unknown 0x0 [invalid type]
}
This is also the case with some icmpv6 options (id and max-delay),
please take a note of this too.
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] src: netlink_delinearize: Fix datatype for len
Change the data type of len from unsigned int to int in order to make
it valid for checks like
if (len < 0)
The issue was brought into attention by the unexplained behavior of
frag with frag-off. Bugzilla entry:
https://bugzilla.netfilter.org/show_bug.cgi?id=935
This patch fixes this bug, however there are still issues with frag
that need to be fixed.
Signed-off-by: Shivani Bhardwaj
---
src/netlink_delinearize.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index ae6abb0..2d7a417 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -107,7 +107,7 @@ static void netlink_release_registers(struct
netlink_parse_ctx *ctx)
static struct expr *netlink_parse_concat_expr(struct netlink_parse_ctx *ctx,
const struct location *loc,
unsigned int reg,
- unsigned int len)
+ int len)
{
struct expr *concat, *expr;
@@ -134,7 +134,7 @@ err:
static struct expr *netlink_parse_concat_data(struct netlink_parse_ctx *ctx,
const struct location *loc,
unsigned int reg,
- unsigned int len,
+ int len,
struct expr *data)
{
struct expr *concat, *expr, *i;
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] comment: Add translation to nft
Add translation for match comment to nftables.
This patch also adds the relevant infrastructure for carrying out
the translation.
Example:
$ sudo iptables-translate -A INPUT -s 192.168.0.0 -m comment --comment "A
privatized IP block"
nft add rule ip filter INPUT ip saddr 192.168.0.0 counter comment \"A
privatized IP block\"
Signed-off-by: Shivani Bhardwaj
---
extensions/libxt_comment.c | 13 +
include/xtables.h | 1 +
iptables/nft-ipv4.c| 6 ++
iptables/nft-ipv6.c| 6 ++
libxtables/xtables.c | 5 +
5 files changed, 31 insertions(+)
diff --git a/extensions/libxt_comment.c b/extensions/libxt_comment.c
index 6ed2ff9..464ca09 100644
--- a/extensions/libxt_comment.c
+++ b/extensions/libxt_comment.c
@@ -48,6 +48,18 @@ comment_save(const void *ip, const struct xt_entry_match
*match)
xtables_save_string(commentinfo->comment);
}
+static int
+comment_xlate(const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ struct xt_comment_info *commentinfo = (void *)match->data;
+
+ commentinfo->comment[XT_MAX_COMMENT_LEN-1] = '\0';
+xt_xlate_add_comment(xl, commentinfo->comment);
+
+ return 1;
+}
+
static struct xtables_match comment_match = {
.family = NFPROTO_UNSPEC,
.name = "comment",
@@ -59,6 +71,7 @@ static struct xtables_match comment_match = {
.save = comment_save,
.x6_parse = xtables_option_parse,
.x6_options = comment_opts,
+ .xlate = comment_xlate,
};
void _init(void)
diff --git a/include/xtables.h b/include/xtables.h
index 6fd3bdf..e219c9f 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -574,6 +574,7 @@ struct xt_xlate *xt_xlate_alloc(int size);
void xt_xlate_free(struct xt_xlate *xl);
void xt_xlate_add(struct xt_xlate *xl, const char *fmt, ...);
void xt_xlate_add_comment(struct xt_xlate *xl, const char *comment);
+const char *xt_xlate_get_comment(struct xt_xlate *xl);
const char *xt_xlate_get(struct xt_xlate *xl);
#ifdef XTABLES_INTERNAL
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 5e2857d..3c41755 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -433,6 +433,7 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate
*xl)
{
const struct iptables_command_state *cs = data;
int ret;
+ const char *comment;
if (cs->fw.ip.iniface[0] != '\0') {
xt_xlate_add(xl, "iifname %s%s ",
@@ -484,6 +485,11 @@ static int nft_ipv4_xlate(const void *data, struct
xt_xlate *xl)
/* Always add counters per rule, as in iptables */
xt_xlate_add(xl, "counter ");
+ comment = xt_xlate_get_comment(xl);
+
+ if (strcmp(comment, ""))
+ xt_xlate_add(xl, "comment \\\"%s\\\" ", comment);
+
ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), xl);
return ret;
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index bbf289b..8912f1d 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -393,6 +393,7 @@ static int nft_ipv6_xlate(const void *data, struct xt_xlate
*xl)
{
const struct iptables_command_state *cs = data;
int ret;
+ const char *comment;
if (cs->fw6.ipv6.iniface[0] != '\0') {
xt_xlate_add(xl, "iifname %s%s ",
@@ -435,6 +436,11 @@ static int nft_ipv6_xlate(const void *data, struct
xt_xlate *xl)
/* Always add counters per rule, as in iptables */
xt_xlate_add(xl, "counter ");
+ comment = xt_xlate_get_comment(xl);
+
+ if (strcmp(comment, ""))
+ xt_xlate_add(xl, "comment \\\"%s\\\" ", comment);
+
ret = xlate_action(cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO), xl);
return ret;
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index c4b86f5..decd7be 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -2045,6 +2045,11 @@ void xt_xlate_add_comment(struct xt_xlate *xl, const
char *comment)
xl->comment[NFT_USERDATA_MAXLEN - 1] = '\0';
}
+const char *xt_xlate_get_comment(struct xt_xlate *xl)
+{
+ return xl->comment;
+}
+
const char *xt_xlate_get(struct xt_xlate *xl)
{
return xl->buf.data;
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2/2] extensions: libip6t_mh: Add translation to nft
Add translation for mobility header to nftables.
Examples:
$ sudo ip6tables-translate -A INPUT -p mh --mh-type 1 -j ACCEPT
nft add rule ip6 filter INPUT meta l4proto mobility-header mh type 1 counter
accept
$ sudo ip6tables-translate -A INPUT -p mh --mh-type 1:3 -j ACCEPT
nft add rule ip6 filter INPUT meta l4proto mobility-header mh type 1-3 counter
accept
Signed-off-by: Shivani Bhardwaj
---
extensions/libip6t_mh.c | 21 +
1 file changed, 21 insertions(+)
diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
index 686a293..e0c214c 100644
--- a/extensions/libip6t_mh.c
+++ b/extensions/libip6t_mh.c
@@ -202,6 +202,26 @@ static void mh_save(const void *ip, const struct
xt_entry_match *match)
printf(" --mh-type %u", mhinfo->types[0]);
}
+static int mh_xlate(const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct ip6t_mh *mhinfo = (struct ip6t_mh *)match->data;
+
+ if (mhinfo->types[0] == 0 && mhinfo->types[1] == 0xFF)
+ return 1;
+
+ if (mhinfo->types[0] != mhinfo->types[1])
+ xt_xlate_add(xl, "mh type %s%u-%u ",
+mhinfo->invflags & IP6T_MH_INV_TYPE ? "!= " : "",
+mhinfo->types[0], mhinfo->types[1]);
+ else
+ xt_xlate_add(xl, "mh type %s%u ",
+mhinfo->invflags & IP6T_MH_INV_TYPE ? "!= " : "",
+mhinfo->types[0]);
+
+ return 1;
+}
+
static const struct xt_option_entry mh_opts[] = {
{.name = "mh-type", .id = O_MH_TYPE, .type = XTTYPE_STRING,
.flags = XTOPT_INVERT},
@@ -220,6 +240,7 @@ static struct xtables_match mh_mt6_reg = {
.print = mh_print,
.save = mh_save,
.x6_options = mh_opts,
+ .xlate = mh_xlate,
};
void _init(void)
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 1/2] iptables: nft-ipv6: Use meta l4proto instead of nexthdr
Use meta l4proto in place of nexthdr for ipv6 protocols as it is not necessary that all protocols be next header. Signed-off-by: Shivani Bhardwaj --- iptables/nft-ipv6.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 0ee7957..bbf289b 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -416,7 +416,7 @@ static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl) snprintf(protonum, sizeof(protonum), "%u", cs->fw6.ipv6.proto); protonum[sizeof(protonum) - 1] = '\0'; - xt_xlate_add(xl, "ip6 nexthdr %s%s ", + xt_xlate_add(xl, "meta l4proto %s%s ", cs->fw6.ipv6.invflags & IP6T_INV_PROTO ? "!= " : "", pent ? pent->p_name : protonum); -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] comment: Add translation to nft
Add translation for match comment to nftables.
Example:
$ sudo iptables-translate -A INPUT -s 192.168.0.0 -m comment --comment "A
privatized IP block"
nft add rule ip filter INPUT ip saddr 192.168.0.0 counter comment \"A
privatized IP block\"
Signed-off-by: Shivani Bhardwaj
---
extensions/libxt_comment.c | 14 ++
iptables/nft-ipv4.c| 17 +++--
iptables/nft-ipv6.c| 17 +++--
3 files changed, 44 insertions(+), 4 deletions(-)
diff --git a/extensions/libxt_comment.c b/extensions/libxt_comment.c
index 6ed2ff9..0461924 100644
--- a/extensions/libxt_comment.c
+++ b/extensions/libxt_comment.c
@@ -48,6 +48,19 @@ comment_save(const void *ip, const struct xt_entry_match
*match)
xtables_save_string(commentinfo->comment);
}
+static int
+comment_xlate(const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ struct xt_comment_info *commentinfo = (void *)match->data;
+
+ commentinfo->comment[XT_MAX_COMMENT_LEN-1] = '\0';
+ xt_xlate_add_comment(xl, commentinfo->comment);
+ xt_xlate_add(xl, "comment \\\"%s\\\" ", commentinfo->comment);
+
+ return 1;
+}
+
static struct xtables_match comment_match = {
.family = NFPROTO_UNSPEC,
.name = "comment",
@@ -59,6 +72,7 @@ static struct xtables_match comment_match = {
.save = comment_save,
.x6_parse = xtables_option_parse,
.x6_options = comment_opts,
+ .xlate = comment_xlate,
};
void _init(void)
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 5e2857d..f816a8a 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -433,6 +433,7 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate
*xl)
{
const struct iptables_command_state *cs = data;
int ret;
+ bool comm = false;
if (cs->fw.ip.iniface[0] != '\0') {
xt_xlate_add(xl, "iifname %s%s ",
@@ -477,12 +478,24 @@ static int nft_ipv4_xlate(const void *data, struct
xt_xlate *xl)
inet_ntoa(cs->fw.ip.dst));
}
+ /*
+* Add counter for match comment as prefix
+*/
+ if (strcmp(cs->matches->match->name, "comment") == 0) {
+ comm = true;
+ xt_xlate_add(xl, "counter ");
+ }
+
ret = xlate_matches(cs, xl);
if (!ret)
return ret;
- /* Always add counters per rule, as in iptables */
- xt_xlate_add(xl, "counter ");
+ /*
+* Always add counters per rule, as in iptables
+* except for match comment
+*/
+ if (!comm)
+ xt_xlate_add(xl, "counter ");
ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), xl);
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 0ee7957..edc572c 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -393,6 +393,7 @@ static int nft_ipv6_xlate(const void *data, struct xt_xlate
*xl)
{
const struct iptables_command_state *cs = data;
int ret;
+ bool comm = false;
if (cs->fw6.ipv6.iniface[0] != '\0') {
xt_xlate_add(xl, "iifname %s%s ",
@@ -428,12 +429,24 @@ static int nft_ipv6_xlate(const void *data, struct
xt_xlate *xl)
xlate_ipv6_addr("ip6 daddr", &cs->fw6.ipv6.dst,
cs->fw6.ipv6.invflags & IP6T_INV_DSTIP, xl);
+ /*
+* Add counter as prefix for match comment
+*/
+ if (strcmp(cs->matches->match->name, "comment") == 0) {
+ comm = true;
+ xt_xlate_add(xl, "counter ");
+ }
+
ret = xlate_matches(cs, xl);
if (!ret)
return ret;
- /* Always add counters per rule, as in iptables */
- xt_xlate_add(xl, "counter ");
+ /*
+* Always add counters per rule, as in iptables
+* except for match comment
+*/
+ if (!comm)
+ xt_xlate_add(xl, "counter ");
ret = xlate_action(cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO), xl);
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] extensions: libxt_tos: Add translation to nft
Add translation for match tos to nftables.
Examples:
$ sudo iptables-translate -A INPUT -m tos --tos 0x02 -j ACCEPT
nft add rule ip filter INPUT ip tos 0x02 counter accept
$ sudo iptables-translate -A INPUT -m tos --tos 0x02/0x04 -j ACCEPT
nft add rule ip filter INPUT ip tos and 0x02 == 0x04 counter accept
$ sudo iptables-translate -A INPUT -m tos ! --tos 0x02/0x04 -j ACCEPT
nft add rule ip filter INPUT ip tos and 0x02 != 0x04 counter accept
Details:
This patch was sent by Ana, Shivani modified it as per the current
nftables structure, applied it to the latest branch and tested it.
Signed-off-by: Shivani Bhardwaj
Signed-off-by: Ana Rey
---
extensions/libxt_tos.c | 18 ++
1 file changed, 18 insertions(+)
diff --git a/extensions/libxt_tos.c b/extensions/libxt_tos.c
index 81c096f..577e9cb 100644
--- a/extensions/libxt_tos.c
+++ b/extensions/libxt_tos.c
@@ -121,6 +121,23 @@ static void tos_mt_save(const void *ip, const struct
xt_entry_match *match)
printf(" --tos 0x%02x/0x%02x", info->tos_value, info->tos_mask);
}
+static int tos_mt_xlate(const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_tos_match_info *info = (const void *)match->data;
+
+ xt_xlate_add(xl, "ip tos ");
+
+ if (info->tos_mask == 0xff)
+ xt_xlate_add(xl, "%s0x%02x ", info->invert ? "!= " : "",
+info->tos_value);
+ else
+ xt_xlate_add(xl, "and 0x%02x %s 0x%02x ", info->tos_value,
+info->invert ? "!=" : "==", info->tos_mask);
+
+ return 1;
+}
+
static struct xtables_match tos_mt_reg[] = {
{
.version = XTABLES_VERSION,
@@ -147,6 +164,7 @@ static struct xtables_match tos_mt_reg[] = {
.save = tos_mt_save,
.x6_parse = tos_mt_parse,
.x6_options= tos_mt_opts,
+ .xlate = tos_mt_xlate,
},
};
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] iptables: nft-ipv6: Fix ipv6 flags
Replace the flags with the correct ipv6 flags.
Details:
Ana found out the bug and submitted the patch, Shivani applied it
on the latest tree and compile tested it.
Signed-off-by: Ana Rey
Signed-off-by: Shivani Bhardwaj
---
iptables/nft-ipv6.c | 14 +++---
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 77ac5b8..0ee7957 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -135,7 +135,7 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
}
if (inv)
- cs->fw6.ipv6.invflags |= IPT_INV_SRCIP;
+ cs->fw6.ipv6.invflags |= IP6T_INV_SRCIP;
break;
case offsetof(struct ip6_hdr, ip6_dst):
get_cmp_data(e, &addr, sizeof(addr), &inv);
@@ -148,14 +148,14 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
}
if (inv)
- cs->fw6.ipv6.invflags |= IPT_INV_DSTIP;
+ cs->fw6.ipv6.invflags |= IP6T_INV_DSTIP;
break;
case offsetof(struct ip6_hdr, ip6_nxt):
get_cmp_data(e, &proto, sizeof(proto), &inv);
cs->fw6.ipv6.flags |= IP6T_F_PROTO;
cs->fw6.ipv6.proto = proto;
if (inv)
- cs->fw6.ipv6.invflags |= IPT_INV_PROTO;
+ cs->fw6.ipv6.invflags |= IP6T_INV_PROTO;
default:
DEBUGP("unknown payload offset %d\n", ctx->payload.offset);
break;
@@ -186,7 +186,7 @@ static void print_ipv6_addr(const struct
iptables_command_state *cs,
{
char buf[BUFSIZ];
- fputc(cs->fw6.ipv6.invflags & IPT_INV_SRCIP ? '!' : ' ', stdout);
+ fputc(cs->fw6.ipv6.invflags & IP6T_INV_SRCIP ? '!' : ' ', stdout);
if (IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.src)
&& !(format & FMT_NUMERIC))
printf(FMT("%-19s ","%s "), "anywhere");
@@ -202,7 +202,7 @@ static void print_ipv6_addr(const struct
iptables_command_state *cs,
}
- fputc(cs->fw6.ipv6.invflags & IPT_INV_DSTIP ? '!' : ' ', stdout);
+ fputc(cs->fw6.ipv6.invflags & IP6T_INV_DSTIP ? '!' : ' ', stdout);
if (IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.dst)
&& !(format & FMT_NUMERIC))
printf(FMT("%-19s ","-> %s"), "anywhere");
@@ -266,9 +266,9 @@ static void nft_ipv6_save_firewall(const void *data,
unsigned int format)
cs->fw6.ipv6.outiface_mask);
save_ipv6_addr('s', &cs->fw6.ipv6.src,
- cs->fw6.ipv6.invflags & IPT_INV_SRCIP);
+ cs->fw6.ipv6.invflags & IP6T_INV_SRCIP);
save_ipv6_addr('d', &cs->fw6.ipv6.dst,
- cs->fw6.ipv6.invflags & IPT_INV_DSTIP);
+ cs->fw6.ipv6.invflags & IP6T_INV_DSTIP);
save_matches_and_target(cs->matches, cs->target,
cs->jumpto, cs->fw6.ipv6.flags, &cs->fw6);
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v4] extensions: libxt_NFQUEUE: Add translation to nft
Add translation for NF queue to nftables.
Examples:
$ sudo iptables-translate -t nat -A PREROUTING -p tcp --dport 80 -j NFQUEUE
--queue-num 30
nft add rule ip nat PREROUTING tcp dport 80 counter queue num 30
$ sudo iptables-translate -A FORWARD -j NFQUEUE --queue-num 0 --queue-bypass -p
TCP --sport 80
nft add rule ip filter FORWARD tcp sport 80 counter queue num 0 bypass
$ sudo iptables-translate -A FORWARD -j NFQUEUE --queue-bypass -p TCP --sport
80 --queue-balance 0:3 --queue-cpu-fanout
nft add rule ip filter FORWARD tcp sport 80 counter queue num 0-3 bypass,fanout
Signed-off-by: Shivani Bhardwaj
---
Changes in v4:
Remove unnecessary variable and use inbuilt flags instead of it
extensions/libxt_NFQUEUE.c | 58 +-
1 file changed, 57 insertions(+), 1 deletion(-)
diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQUEUE.c
index 0c86918..fe005cb 100644
--- a/extensions/libxt_NFQUEUE.c
+++ b/extensions/libxt_NFQUEUE.c
@@ -205,6 +205,58 @@ static void NFQUEUE_init_v1(struct xt_entry_target *t)
tinfo->queues_total = 1;
}
+static int NFQUEUE_xlate(const struct xt_entry_target *target,
+struct xt_xlate *xl, int numeric)
+{
+ const struct xt_NFQ_info *tinfo =
+ (const struct xt_NFQ_info *)target->data;
+
+ xt_xlate_add(xl, "queue num %u ", tinfo->queuenum);
+
+ return 1;
+}
+
+static int NFQUEUE_xlate_v1(const struct xt_entry_target *target,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_NFQ_info_v1 *tinfo = (const void *)target->data;
+ unsigned int last = tinfo->queues_total;
+
+ if (last > 1) {
+ last += tinfo->queuenum - 1;
+ xt_xlate_add(xl, "queue num %u-%u ", tinfo->queuenum, last);
+ } else {
+ xt_xlate_add(xl, "queue num %u ", tinfo->queuenum);
+ }
+
+ return 1;
+}
+
+static int NFQUEUE_xlate_v2(const struct xt_entry_target *target,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_NFQ_info_v2 *info = (void *) target->data;
+
+ NFQUEUE_xlate_v1(target, xl, numeric);
+
+ if (info->bypass & NFQ_FLAG_BYPASS)
+ xt_xlate_add(xl, "bypass");
+
+ return 1;
+}
+
+static int NFQUEUE_xlate_v3(const struct xt_entry_target *target,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_NFQ_info_v3 *info = (void *)target->data;
+
+ NFQUEUE_xlate_v2(target, xl, numeric);
+ if (info->flags & NFQ_FLAG_CPU_FANOUT)
+ xt_xlate_add(xl, "%sfanout ", info->flags & NFQ_FLAG_BYPASS ?
"," : "");
+
+ return 1;
+}
+
static struct xtables_target nfqueue_targets[] = {
{
.family = NFPROTO_UNSPEC,
@@ -216,7 +268,8 @@ static struct xtables_target nfqueue_targets[] = {
.print = NFQUEUE_print,
.save = NFQUEUE_save,
.x6_parse = NFQUEUE_parse,
- .x6_options = NFQUEUE_opts
+ .x6_options = NFQUEUE_opts,
+ .xlate = NFQUEUE_xlate,
},{
.family = NFPROTO_UNSPEC,
.revision = 1,
@@ -230,6 +283,7 @@ static struct xtables_target nfqueue_targets[] = {
.save = NFQUEUE_save_v1,
.x6_parse = NFQUEUE_parse_v1,
.x6_options = NFQUEUE_opts,
+ .xlate = NFQUEUE_xlate_v1,
},{
.family = NFPROTO_UNSPEC,
.revision = 2,
@@ -243,6 +297,7 @@ static struct xtables_target nfqueue_targets[] = {
.save = NFQUEUE_save_v2,
.x6_parse = NFQUEUE_parse_v2,
.x6_options = NFQUEUE_opts,
+ .xlate = NFQUEUE_xlate_v2,
},{
.family = NFPROTO_UNSPEC,
.revision = 3,
@@ -256,6 +311,7 @@ static struct xtables_target nfqueue_targets[] = {
.save = NFQUEUE_save_v3,
.x6_parse = NFQUEUE_parse_v3,
.x6_options = NFQUEUE_opts,
+ .xlate = NFQUEUE_xlate_v3,
}
};
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2] extensions: libxt_NFQUEUE: Add translation to nft
On Mon, Feb 8, 2016 at 2:59 PM, Florian Westphal wrote:
> Shivani Bhardwaj wrote:
>> On Sun, Feb 7, 2016 at 2:55 PM, Florian Westphal wrote:
>
>> > Seems this could be written similar to something like:
>> >
>> > if (info->flags & NFQ_FLAG_CPU_FANOUT) {
>> > bool sep_needed = info->bypass & NFQ_FLAG_BYPASS;
>> > xt_xlate_add(xl, "%sfanout ", sep_need ? "," : "");
>> > ...
>>
>> The pointer info used in both the versions (of NFQUEUE_xlate) is for
>> different structures. Sadly, this doesn't work as v3 structure doesn't
>> have a member for bypass field.
>
> Oh, right. However bypass & flags overlap -- I think you could just use
> info->flags & NFQ_FLAG_BYPASS.
>
> If you look at NFQUEUE_parse_v3() it just calls NFQUEUE_parse_v2() with
> the v3 structure.
Yes, the code looks better now. Thanks a lot, Florian.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2] extensions: libxt_NFQUEUE: Add translation to nft
On Sun, Feb 7, 2016 at 2:55 PM, Florian Westphal wrote:
> Shivani Bhardwaj wrote:
>> $ sudo iptables-translate -t nat -A PREROUTING -p tcp --dport 80 -j NFQUEUE
>> --queue-num 30
>> nft add rule ip nat PREROUTING tcp dport 80 counter queue num 30
>>
>> $ sudo iptables-translate -A FORWARD -j NFQUEUE --queue-num 0 --queue-bypass
>> -p TCP --sport 80
>> nft add rule ip filter FORWARD tcp sport 80 counter queue num 0 bypass
>>
>> $ sudo iptables-translate -A FORWARD -j NFQUEUE --queue-bypass -p TCP
>> --sport 80 --queue-balance 0:3 --queue-cpu-fanout
>> nft add rule ip filter FORWARD tcp sport 80 counter queue num 0-3
>> bypass,fanout
>
> translation look correct, thanks!
>
>> +bool sep_need = false;
>
> Is this really needed?
> If it is, please add static keyword too.
>
Done. Please check the new version of this patch.
>> +static int NFQUEUE_xlate_v2(const struct xt_entry_target *target,
>> + struct xt_xlate *xl, int numeric)
>> +{
>> + const struct xt_NFQ_info_v2 *info = (void *) target->data;
>> +
>> + NFQUEUE_xlate_v1(target, xl, numeric);
>> +
>> + if (info->bypass & NFQ_FLAG_BYPASS) {
>> + xt_xlate_add(xl, "bypass");
>> + sep_need = true;
>> + }
>> +
>> + return 1;
>> +}
>> +
>> +static int NFQUEUE_xlate_v3(const struct xt_entry_target *target,
>> + struct xt_xlate *xl, int numeric)
>> +{
>> + const struct xt_NFQ_info_v3 *info = (void *)target->data;
>> +
>> + NFQUEUE_xlate_v2(target, xl, numeric);
>> + if (info->flags & NFQ_FLAG_CPU_FANOUT)
>> + xt_xlate_add(xl, "%sfanout ", sep_need ? "," : "");
>> +
>
> Seems this could be written similar to something like:
>
> if (info->flags & NFQ_FLAG_CPU_FANOUT) {
> bool sep_needed = info->bypass & NFQ_FLAG_BYPASS;
> xt_xlate_add(xl, "%sfanout ", sep_need ? "," : "");
> ...
The pointer info used in both the versions (of NFQUEUE_xlate) is for
different structures. Sadly, this doesn't work as v3 structure doesn't
have a member for bypass field.
Thanks a lot.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v3] extensions: libxt_NFQUEUE: Add translation to nft
Add translation for NF queue to nftables.
Examples:
$ sudo iptables-translate -t nat -A PREROUTING -p tcp --dport 80 -j NFQUEUE
--queue-num 30
nft add rule ip nat PREROUTING tcp dport 80 counter queue num 30
$ sudo iptables-translate -A FORWARD -j NFQUEUE --queue-num 0 --queue-bypass -p
TCP --sport 80
nft add rule ip filter FORWARD tcp sport 80 counter queue num 0 bypass
$ sudo iptables-translate -A FORWARD -j NFQUEUE --queue-bypass -p TCP --sport
80 --queue-balance 0:3 --queue-cpu-fanout
nft add rule ip filter FORWARD tcp sport 80 counter queue num 0-3 bypass,fanout
Signed-off-by: Shivani Bhardwaj
---
Changes in v3:
Add static keyword to sep_need
extensions/libxt_NFQUEUE.c | 62 +-
1 file changed, 61 insertions(+), 1 deletion(-)
diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQUEUE.c
index 0c86918..5312630 100644
--- a/extensions/libxt_NFQUEUE.c
+++ b/extensions/libxt_NFQUEUE.c
@@ -205,6 +205,62 @@ static void NFQUEUE_init_v1(struct xt_entry_target *t)
tinfo->queues_total = 1;
}
+static int NFQUEUE_xlate(const struct xt_entry_target *target,
+struct xt_xlate *xl, int numeric)
+{
+ const struct xt_NFQ_info *tinfo =
+ (const struct xt_NFQ_info *)target->data;
+
+ xt_xlate_add(xl, "queue num %u ", tinfo->queuenum);
+
+ return 1;
+}
+
+static int NFQUEUE_xlate_v1(const struct xt_entry_target *target,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_NFQ_info_v1 *tinfo = (const void *)target->data;
+ unsigned int last = tinfo->queues_total;
+
+ if (last > 1) {
+ last += tinfo->queuenum - 1;
+ xt_xlate_add(xl, "queue num %u-%u ", tinfo->queuenum, last);
+ } else {
+ xt_xlate_add(xl, "queue num %u ", tinfo->queuenum);
+ }
+
+ return 1;
+}
+
+static bool sep_need;
+
+static int NFQUEUE_xlate_v2(const struct xt_entry_target *target,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_NFQ_info_v2 *info = (void *) target->data;
+
+ NFQUEUE_xlate_v1(target, xl, numeric);
+
+ if (info->bypass & NFQ_FLAG_BYPASS) {
+ xt_xlate_add(xl, "bypass");
+ sep_need = true;
+ }
+
+ return 1;
+}
+
+static int NFQUEUE_xlate_v3(const struct xt_entry_target *target,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_NFQ_info_v3 *info = (void *)target->data;
+
+ NFQUEUE_xlate_v2(target, xl, numeric);
+ if (info->flags & NFQ_FLAG_CPU_FANOUT)
+ xt_xlate_add(xl, "%sfanout ", sep_need ? "," : "");
+
+ return 1;
+}
+
static struct xtables_target nfqueue_targets[] = {
{
.family = NFPROTO_UNSPEC,
@@ -216,7 +272,8 @@ static struct xtables_target nfqueue_targets[] = {
.print = NFQUEUE_print,
.save = NFQUEUE_save,
.x6_parse = NFQUEUE_parse,
- .x6_options = NFQUEUE_opts
+ .x6_options = NFQUEUE_opts,
+ .xlate = NFQUEUE_xlate,
},{
.family = NFPROTO_UNSPEC,
.revision = 1,
@@ -230,6 +287,7 @@ static struct xtables_target nfqueue_targets[] = {
.save = NFQUEUE_save_v1,
.x6_parse = NFQUEUE_parse_v1,
.x6_options = NFQUEUE_opts,
+ .xlate = NFQUEUE_xlate_v1,
},{
.family = NFPROTO_UNSPEC,
.revision = 2,
@@ -243,6 +301,7 @@ static struct xtables_target nfqueue_targets[] = {
.save = NFQUEUE_save_v2,
.x6_parse = NFQUEUE_parse_v2,
.x6_options = NFQUEUE_opts,
+ .xlate = NFQUEUE_xlate_v2,
},{
.family = NFPROTO_UNSPEC,
.revision = 3,
@@ -256,6 +315,7 @@ static struct xtables_target nfqueue_targets[] = {
.save = NFQUEUE_save_v3,
.x6_parse = NFQUEUE_parse_v3,
.x6_options = NFQUEUE_opts,
+ .xlate = NFQUEUE_xlate_v3,
}
};
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2] extensions: libxt_NFQUEUE: Add translation to nft
Add translation for NF queue to nftables.
Examples:
$ sudo iptables-translate -t nat -A PREROUTING -p tcp --dport 80 -j NFQUEUE
--queue-num 30
nft add rule ip nat PREROUTING tcp dport 80 counter queue num 30
$ sudo iptables-translate -A FORWARD -j NFQUEUE --queue-num 0 --queue-bypass -p
TCP --sport 80
nft add rule ip filter FORWARD tcp sport 80 counter queue num 0 bypass
$ sudo iptables-translate -A FORWARD -j NFQUEUE --queue-bypass -p TCP --sport
80 --queue-balance 0:3 --queue-cpu-fanout
nft add rule ip filter FORWARD tcp sport 80 counter queue num 0-3 bypass,fanout
Signed-off-by: Shivani Bhardwaj
---
Changes in v2:
Fix the code for queue-balance
extensions/libxt_NFQUEUE.c | 62 +-
1 file changed, 61 insertions(+), 1 deletion(-)
diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQUEUE.c
index 0c86918..ea38f86 100644
--- a/extensions/libxt_NFQUEUE.c
+++ b/extensions/libxt_NFQUEUE.c
@@ -205,6 +205,62 @@ static void NFQUEUE_init_v1(struct xt_entry_target *t)
tinfo->queues_total = 1;
}
+static int NFQUEUE_xlate(const struct xt_entry_target *target,
+struct xt_xlate *xl, int numeric)
+{
+ const struct xt_NFQ_info *tinfo =
+ (const struct xt_NFQ_info *)target->data;
+
+ xt_xlate_add(xl, "queue num %u ", tinfo->queuenum);
+
+ return 1;
+}
+
+static int NFQUEUE_xlate_v1(const struct xt_entry_target *target,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_NFQ_info_v1 *tinfo = (const void *)target->data;
+ unsigned int last = tinfo->queues_total;
+
+ if (last > 1) {
+ last += tinfo->queuenum - 1;
+ xt_xlate_add(xl, "queue num %u-%u ", tinfo->queuenum, last);
+ } else {
+ xt_xlate_add(xl, "queue num %u ", tinfo->queuenum);
+ }
+
+ return 1;
+}
+
+bool sep_need = false;
+
+static int NFQUEUE_xlate_v2(const struct xt_entry_target *target,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_NFQ_info_v2 *info = (void *) target->data;
+
+ NFQUEUE_xlate_v1(target, xl, numeric);
+
+ if (info->bypass & NFQ_FLAG_BYPASS) {
+ xt_xlate_add(xl, "bypass");
+ sep_need = true;
+ }
+
+ return 1;
+}
+
+static int NFQUEUE_xlate_v3(const struct xt_entry_target *target,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_NFQ_info_v3 *info = (void *)target->data;
+
+ NFQUEUE_xlate_v2(target, xl, numeric);
+ if (info->flags & NFQ_FLAG_CPU_FANOUT)
+ xt_xlate_add(xl, "%sfanout ", sep_need ? "," : "");
+
+ return 1;
+}
+
static struct xtables_target nfqueue_targets[] = {
{
.family = NFPROTO_UNSPEC,
@@ -216,7 +272,8 @@ static struct xtables_target nfqueue_targets[] = {
.print = NFQUEUE_print,
.save = NFQUEUE_save,
.x6_parse = NFQUEUE_parse,
- .x6_options = NFQUEUE_opts
+ .x6_options = NFQUEUE_opts,
+ .xlate = NFQUEUE_xlate,
},{
.family = NFPROTO_UNSPEC,
.revision = 1,
@@ -230,6 +287,7 @@ static struct xtables_target nfqueue_targets[] = {
.save = NFQUEUE_save_v1,
.x6_parse = NFQUEUE_parse_v1,
.x6_options = NFQUEUE_opts,
+ .xlate = NFQUEUE_xlate_v1,
},{
.family = NFPROTO_UNSPEC,
.revision = 2,
@@ -243,6 +301,7 @@ static struct xtables_target nfqueue_targets[] = {
.save = NFQUEUE_save_v2,
.x6_parse = NFQUEUE_parse_v2,
.x6_options = NFQUEUE_opts,
+ .xlate = NFQUEUE_xlate_v2,
},{
.family = NFPROTO_UNSPEC,
.revision = 3,
@@ -256,6 +315,7 @@ static struct xtables_target nfqueue_targets[] = {
.save = NFQUEUE_save_v3,
.x6_parse = NFQUEUE_parse_v3,
.x6_options = NFQUEUE_opts,
+ .xlate = NFQUEUE_xlate_v3,
}
};
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] comment: Add translation to nft
Add translation for match comment to nftables.
Example:
$ sudo iptables-translate -A INPUT -s 192.168.0.0 -m comment --comment "A
privatized IP block"
nft add rule ip filter INPUT ip saddr 192.168.0.0 counter comment \"A
privatized IP block\"
Signed-off-by: Shivani Bhardwaj
---
extensions/libxt_comment.c | 13 +
iptables/nft-ipv4.c| 17 +++--
2 files changed, 28 insertions(+), 2 deletions(-)
diff --git a/extensions/libxt_comment.c b/extensions/libxt_comment.c
index 6ed2ff9..e80336c 100644
--- a/extensions/libxt_comment.c
+++ b/extensions/libxt_comment.c
@@ -48,6 +48,18 @@ comment_save(const void *ip, const struct xt_entry_match
*match)
xtables_save_string(commentinfo->comment);
}
+static int
+comment_xlate(const struct xt_entry_match *match,
+ struct xt_buf *buf, int numeric)
+{
+ struct xt_comment_info *commentinfo = (void *)match->data;
+
+ commentinfo->comment[XT_MAX_COMMENT_LEN-1] = '\0';
+ xt_buf_add(buf, "comment \\\"%s\\\" ", commentinfo->comment);
+
+ return 1;
+}
+
static struct xtables_match comment_match = {
.family = NFPROTO_UNSPEC,
.name = "comment",
@@ -59,6 +71,7 @@ static struct xtables_match comment_match = {
.save = comment_save,
.x6_parse = xtables_option_parse,
.x6_options = comment_opts,
+ .xlate = comment_xlate,
};
void _init(void)
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index ede8f17..612b4f6 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -433,6 +433,7 @@ static int nft_ipv4_xlate(const void *data, struct xt_buf
*buf)
{
const struct iptables_command_state *cs = data;
int ret;
+ bool comm = false;
if (cs->fw.ip.iniface[0] != '\0') {
xt_buf_add(buf, "iifname %s%s ",
@@ -477,12 +478,24 @@ static int nft_ipv4_xlate(const void *data, struct xt_buf
*buf)
inet_ntoa(cs->fw.ip.dst));
}
+ /*
+* Add counter for match comment as prefix
+*/
+ if (strcmp(cs->matches->match->name, "comment") == 0) {
+ comm = true;
+ xt_buf_add(buf, "counter ");
+ }
+
ret = xlate_matches(cs, buf);
if (!ret)
return ret;
- /* Always add counters per rule, as in iptables */
- xt_buf_add(buf, "counter ");
+ /*
+* Always add counters per rule, as in iptables
+* except for the match comment
+*/
+ if (!comm)
+ xt_buf_add(buf, "counter ");
ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), buf);
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] src: netlink_linearize: Fix bug for redirect target
Before this patch,
$ sudo nft --debug=netlink add rule ip nat post ip protocol tcp redirect to
100-200
ip nat post
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x0006 ]
[ immediate reg 1 0x6400 ]
[ immediate reg 2 0xc800 ]
[ redir proto_min reg 1 proto_max reg 5 ]
:1:1-56: Error: Could not process rule: Invalid argument
add rule ip nat post ip protocol tcp redirect to 100-200
After this patch,
$ sudo nft --debug=netlink add rule ip nat post ip protocol tcp redirect to
100-200
ip nat post
[ payload load 1b @ network header + 9 => reg 1 ]
[ cmp eq reg 1 0x0006 ]
[ immediate reg 1 0x6400 ]
[ immediate reg 2 0xc800 ]
[ redir proto_min reg 1 proto_max reg 2 ]
Signed-off-by: Shivani Bhardwaj
---
src/netlink_linearize.c | 18 +-
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 7c6ef16..dfe8dca 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -861,17 +861,17 @@ static void netlink_gen_redir_stmt(struct
netlink_linearize_ctx *ctx,
pmin_reg);
netlink_gen_expr(ctx, stmt->redir.proto->right,
pmax_reg);
- nftnl_expr_set_u32(nle,
- NFTNL_EXPR_REDIR_REG_PROTO_MIN,
- pmin_reg);
- nftnl_expr_set_u32(nle,
- NFTNL_EXPR_REDIR_REG_PROTO_MAX,
- pmax_reg);
+ netlink_put_register(nle,
+NFTNL_EXPR_REDIR_REG_PROTO_MIN,
+pmin_reg);
+ netlink_put_register(nle,
+NFTNL_EXPR_REDIR_REG_PROTO_MAX,
+pmax_reg);
} else {
netlink_gen_expr(ctx, stmt->redir.proto, pmin_reg);
- nftnl_expr_set_u32(nle,
- NFTNL_EXPR_REDIR_REG_PROTO_MIN,
- pmin_reg);
+ netlink_put_register(nle,
+NFTNL_EXPR_REDIR_REG_PROTO_MIN,
+pmin_reg);
}
}
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH nftables] Add support for masquerade port selection
Provide full support for masquerading by allowing port range selection.
Signed-off-by: Shivani Bhardwaj
---
include/statement.h | 1 +
src/netlink_delinearize.c | 26 ++
src/netlink_linearize.c | 24
src/parser_bison.y| 23 +--
src/statement.c | 11 +++
5 files changed, 79 insertions(+), 6 deletions(-)
diff --git a/include/statement.h b/include/statement.h
index 8b035d3..e310ab4 100644
--- a/include/statement.h
+++ b/include/statement.h
@@ -77,6 +77,7 @@ extern struct stmt *nat_stmt_alloc(const struct location
*loc);
struct masq_stmt {
uint32_tflags;
+ struct expr *proto;
};
extern struct stmt *masq_stmt_alloc(const struct location *loc);
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 3499d74..bd93702 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -692,6 +692,8 @@ static void netlink_parse_masq(struct netlink_parse_ctx
*ctx,
{
struct stmt *stmt;
uint32_t flags;
+ struct expr *proto;
+ enum nft_registers reg1, reg2;
flags = 0;
if (nftnl_expr_is_set(nle, NFTNL_EXPR_MASQ_FLAGS))
@@ -700,6 +702,30 @@ static void netlink_parse_masq(struct netlink_parse_ctx
*ctx,
stmt = masq_stmt_alloc(loc);
stmt->masq.flags = flags;
+ reg1 = netlink_parse_register(nle, NFTNL_EXPR_MASQ_REG_PROTO_MIN);
+ if (reg1) {
+ proto = netlink_get_register(ctx, loc, reg1);
+ if (proto == NULL)
+ return netlink_error(ctx, loc,
+"MASQUERADE statement"
+"has no proto expression");
+ expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
+ stmt->masq.proto = proto;
+ }
+
+ reg2 = netlink_parse_register(nle, NFTNL_EXPR_MASQ_REG_PROTO_MAX);
+ if (reg2 && reg2 != reg1) {
+ proto = netlink_get_register(ctx, loc, reg2);
+ if (proto == NULL)
+ return netlink_error(ctx, loc,
+"MASQUERADE statement"
+"has no proto expression");
+ expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
+ if (stmt->masq.proto != NULL)
+ proto = range_expr_alloc(loc, stmt->nat.proto, proto);
+ stmt->nat.proto = proto;
+ }
+
list_add_tail(&stmt->list, &ctx->rule->stmts);
}
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 7c6ef16..7ae7cb7 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -827,11 +827,35 @@ static void netlink_gen_masq_stmt(struct
netlink_linearize_ctx *ctx,
const struct stmt *stmt)
{
struct nftnl_expr *nle;
+ enum nft_registers pmin_reg, pmax_reg;
+ int registers = 0;
nle = alloc_nft_expr("masq");
if (stmt->masq.flags != 0)
nftnl_expr_set_u32(nle, NFTNL_EXPR_MASQ_FLAGS,
stmt->masq.flags);
+ if (stmt->masq.proto) {
+ pmin_reg = get_register(ctx, NULL);
+ registers++;
+
+ if (stmt->masq.proto->ops->type == EXPR_RANGE) {
+ pmax_reg = get_register(ctx, NULL);
+ registers++;
+
+ netlink_gen_expr(ctx, stmt->masq.proto->left, pmin_reg);
+ netlink_gen_expr(ctx, stmt->masq.proto->right,
pmax_reg);
+ netlink_put_register(nle,
NFTNL_EXPR_MASQ_REG_PROTO_MIN, pmin_reg);
+ netlink_put_register(nle,
NFTNL_EXPR_MASQ_REG_PROTO_MAX, pmax_reg);
+ } else {
+ netlink_gen_expr(ctx, stmt->masq.proto, pmin_reg);
+ netlink_put_register(nle,
NFTNL_EXPR_MASQ_REG_PROTO_MIN, pmin_reg);
+ }
+ }
+
+ while (registers > 0) {
+ release_register(ctx, NULL);
+ registers--;
+ }
nftnl_rule_add_expr(ctx->nlr, nle);
}
diff --git a/src/parser_bison.y b/src/parser_bison.y
index ec1e742..9868bd6 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1588,17 +1588,28 @@ nat_stmt_args : expr
}
;
-masq_stmt : masq_stmt_alloc
- | masq_stmt_alloc nf_nat_flags
- {
- $$ = $1;
- $$->masq.flags = $2;
- }
+masq_stmt : masq_stmt_alloc m
[PATCH libnftnl v3] Add support for masq port selection
Complete masquerading support by allowing port range selection.
Signed-off-by: Shivani Bhardwaj
---
Changes in v3:
Use different values for testing
include/libnftnl/expr.h | 4 ++-
include/linux/netfilter/nf_tables.h | 2 ++
src/expr/masq.c | 60 +++--
tests/nft-expr_masq-test.c | 8 +
4 files changed, 71 insertions(+), 3 deletions(-)
diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index 4a37581..13c2ff5 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -166,7 +166,9 @@ enum {
};
enum {
- NFTNL_EXPR_MASQ_FLAGS = NFTNL_EXPR_BASE,
+ NFTNL_EXPR_MASQ_FLAGS = NFTNL_EXPR_BASE,
+ NFTNL_EXPR_MASQ_REG_PROTO_MIN,
+ NFTNL_EXPR_MASQ_REG_PROTO_MAX,
};
enum {
diff --git a/include/linux/netfilter/nf_tables.h
b/include/linux/netfilter/nf_tables.h
index 9796d82..c17615a 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -924,6 +924,8 @@ enum nft_nat_attributes {
enum nft_masq_attributes {
NFTA_MASQ_UNSPEC,
NFTA_MASQ_FLAGS,
+ NFTA_MASQ_REG_PROTO_MIN,
+ NFTA_MASQ_REG_PROTO_MAX,
__NFTA_MASQ_MAX
};
#define NFTA_MASQ_MAX (__NFTA_MASQ_MAX - 1)
diff --git a/src/expr/masq.c b/src/expr/masq.c
index 01512b4..da0e812 100644
--- a/src/expr/masq.c
+++ b/src/expr/masq.c
@@ -21,7 +21,9 @@
#include
struct nftnl_expr_masq {
- uint32_tflags;
+ uint32_tflags;
+ enum nft_registers sreg_proto_min;
+ enum nft_registers sreg_proto_max;
};
static int
@@ -33,6 +35,12 @@ nftnl_expr_masq_set(struct nftnl_expr *e, uint16_t type,
switch (type) {
case NFTNL_EXPR_MASQ_FLAGS:
masq->flags = *((uint32_t *)data);
+break;
+ case NFTNL_EXPR_MASQ_REG_PROTO_MIN:
+ masq->sreg_proto_min = *((uint32_t *)data);
+ break;
+ case NFTNL_EXPR_MASQ_REG_PROTO_MAX:
+ masq->sreg_proto_max = *((uint32_t *)data);
break;
default:
return -1;
@@ -50,6 +58,12 @@ nftnl_expr_masq_get(const struct nftnl_expr *e, uint16_t
type,
case NFTNL_EXPR_MASQ_FLAGS:
*data_len = sizeof(masq->flags);
return &masq->flags;
+ case NFTNL_EXPR_MASQ_REG_PROTO_MIN:
+ *data_len = sizeof(masq->sreg_proto_min);
+ return &masq->sreg_proto_min;
+ case NFTNL_EXPR_MASQ_REG_PROTO_MAX:
+ *data_len = sizeof(masq->sreg_proto_max);
+ return &masq->sreg_proto_max;
}
return NULL;
}
@@ -63,6 +77,8 @@ static int nftnl_expr_masq_cb(const struct nlattr *attr, void
*data)
return MNL_CB_OK;
switch (type) {
+ case NFTA_MASQ_REG_PROTO_MIN:
+ case NFTA_MASQ_REG_PROTO_MAX:
case NFTA_MASQ_FLAGS:
if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
abi_breakage();
@@ -80,6 +96,12 @@ nftnl_expr_masq_build(struct nlmsghdr *nlh, struct
nftnl_expr *e)
if (e->flags & (1 << NFTNL_EXPR_MASQ_FLAGS))
mnl_attr_put_u32(nlh, NFTA_MASQ_FLAGS, htobe32(masq->flags));
+ if (e->flags & (1 << NFTNL_EXPR_MASQ_REG_PROTO_MIN))
+ mnl_attr_put_u32(nlh, NFTA_MASQ_REG_PROTO_MIN,
+htobe32(masq->sreg_proto_min));
+ if (e->flags & (1 << NFTNL_EXPR_MASQ_REG_PROTO_MAX))
+ mnl_attr_put_u32(nlh, NFTA_MASQ_REG_PROTO_MAX,
+htobe32(masq->sreg_proto_max));
}
static int
@@ -94,6 +116,16 @@ nftnl_expr_masq_parse(struct nftnl_expr *e, struct nlattr
*attr)
if (tb[NFTA_MASQ_FLAGS]) {
masq->flags = be32toh(mnl_attr_get_u32(tb[NFTA_MASQ_FLAGS]));
e->flags |= (1 << NFTNL_EXPR_MASQ_FLAGS);
+}
+ if (tb[NFTA_MASQ_REG_PROTO_MIN]) {
+ masq->sreg_proto_min =
+ be32toh(mnl_attr_get_u32(tb[NFTA_MASQ_REG_PROTO_MIN]));
+ e->flags |= (1 << NFTNL_EXPR_MASQ_REG_PROTO_MIN);
+ }
+ if (tb[NFTA_MASQ_REG_PROTO_MAX]) {
+ masq->sreg_proto_max =
+ be32toh(mnl_attr_get_u32(tb[NFTA_MASQ_REG_PROTO_MAX]));
+ e->flags |= (1 << NFTNL_EXPR_MASQ_REG_PROTO_MAX);
}
return 0;
@@ -104,11 +136,17 @@ nftnl_expr_masq_json_parse(struct nftnl_expr *e, json_t
*root,
struct nftnl_parse_err *err)
{
#ifdef JSON_PARSING
- uint32_t flags;
+ uint32_t reg, flags;
if (nftnl_jansson_parse_val(root, "flags", NFTNL_TYPE_U32, &flags,
err) == 0)
nftnl_expr_set_u32(e, NFTNL_EXPR_MASQ
[PATCH libnftnl v2] Add support for masq port selection
Complete masquerading support by allowing port range selection.
Signed-off-by: Shivani Bhardwaj
---
Changes in v2:
Add test file and keep switch cases in incremental order
include/libnftnl/expr.h | 4 ++-
include/linux/netfilter/nf_tables.h | 2 ++
src/expr/masq.c | 60 +++--
tests/nft-expr_masq-test.c | 8 +
4 files changed, 71 insertions(+), 3 deletions(-)
diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index 4a37581..13c2ff5 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -166,7 +166,9 @@ enum {
};
enum {
- NFTNL_EXPR_MASQ_FLAGS = NFTNL_EXPR_BASE,
+ NFTNL_EXPR_MASQ_FLAGS = NFTNL_EXPR_BASE,
+ NFTNL_EXPR_MASQ_REG_PROTO_MIN,
+ NFTNL_EXPR_MASQ_REG_PROTO_MAX,
};
enum {
diff --git a/include/linux/netfilter/nf_tables.h
b/include/linux/netfilter/nf_tables.h
index 9796d82..c17615a 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -924,6 +924,8 @@ enum nft_nat_attributes {
enum nft_masq_attributes {
NFTA_MASQ_UNSPEC,
NFTA_MASQ_FLAGS,
+ NFTA_MASQ_REG_PROTO_MIN,
+ NFTA_MASQ_REG_PROTO_MAX,
__NFTA_MASQ_MAX
};
#define NFTA_MASQ_MAX (__NFTA_MASQ_MAX - 1)
diff --git a/src/expr/masq.c b/src/expr/masq.c
index 01512b4..da0e812 100644
--- a/src/expr/masq.c
+++ b/src/expr/masq.c
@@ -21,7 +21,9 @@
#include
struct nftnl_expr_masq {
- uint32_tflags;
+ uint32_tflags;
+ enum nft_registers sreg_proto_min;
+ enum nft_registers sreg_proto_max;
};
static int
@@ -33,6 +35,12 @@ nftnl_expr_masq_set(struct nftnl_expr *e, uint16_t type,
switch (type) {
case NFTNL_EXPR_MASQ_FLAGS:
masq->flags = *((uint32_t *)data);
+break;
+ case NFTNL_EXPR_MASQ_REG_PROTO_MIN:
+ masq->sreg_proto_min = *((uint32_t *)data);
+ break;
+ case NFTNL_EXPR_MASQ_REG_PROTO_MAX:
+ masq->sreg_proto_max = *((uint32_t *)data);
break;
default:
return -1;
@@ -50,6 +58,12 @@ nftnl_expr_masq_get(const struct nftnl_expr *e, uint16_t
type,
case NFTNL_EXPR_MASQ_FLAGS:
*data_len = sizeof(masq->flags);
return &masq->flags;
+ case NFTNL_EXPR_MASQ_REG_PROTO_MIN:
+ *data_len = sizeof(masq->sreg_proto_min);
+ return &masq->sreg_proto_min;
+ case NFTNL_EXPR_MASQ_REG_PROTO_MAX:
+ *data_len = sizeof(masq->sreg_proto_max);
+ return &masq->sreg_proto_max;
}
return NULL;
}
@@ -63,6 +77,8 @@ static int nftnl_expr_masq_cb(const struct nlattr *attr, void
*data)
return MNL_CB_OK;
switch (type) {
+ case NFTA_MASQ_REG_PROTO_MIN:
+ case NFTA_MASQ_REG_PROTO_MAX:
case NFTA_MASQ_FLAGS:
if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
abi_breakage();
@@ -80,6 +96,12 @@ nftnl_expr_masq_build(struct nlmsghdr *nlh, struct
nftnl_expr *e)
if (e->flags & (1 << NFTNL_EXPR_MASQ_FLAGS))
mnl_attr_put_u32(nlh, NFTA_MASQ_FLAGS, htobe32(masq->flags));
+ if (e->flags & (1 << NFTNL_EXPR_MASQ_REG_PROTO_MIN))
+ mnl_attr_put_u32(nlh, NFTA_MASQ_REG_PROTO_MIN,
+htobe32(masq->sreg_proto_min));
+ if (e->flags & (1 << NFTNL_EXPR_MASQ_REG_PROTO_MAX))
+ mnl_attr_put_u32(nlh, NFTA_MASQ_REG_PROTO_MAX,
+htobe32(masq->sreg_proto_max));
}
static int
@@ -94,6 +116,16 @@ nftnl_expr_masq_parse(struct nftnl_expr *e, struct nlattr
*attr)
if (tb[NFTA_MASQ_FLAGS]) {
masq->flags = be32toh(mnl_attr_get_u32(tb[NFTA_MASQ_FLAGS]));
e->flags |= (1 << NFTNL_EXPR_MASQ_FLAGS);
+}
+ if (tb[NFTA_MASQ_REG_PROTO_MIN]) {
+ masq->sreg_proto_min =
+ be32toh(mnl_attr_get_u32(tb[NFTA_MASQ_REG_PROTO_MIN]));
+ e->flags |= (1 << NFTNL_EXPR_MASQ_REG_PROTO_MIN);
+ }
+ if (tb[NFTA_MASQ_REG_PROTO_MAX]) {
+ masq->sreg_proto_max =
+ be32toh(mnl_attr_get_u32(tb[NFTA_MASQ_REG_PROTO_MAX]));
+ e->flags |= (1 << NFTNL_EXPR_MASQ_REG_PROTO_MAX);
}
return 0;
@@ -104,11 +136,17 @@ nftnl_expr_masq_json_parse(struct nftnl_expr *e, json_t
*root,
struct nftnl_parse_err *err)
{
#ifdef JSON_PARSING
- uint32_t flags;
+ uint32_t reg, flags;
if (nftnl_jansson_parse_val(root, "flags", NFTNL_TYPE_U32, &flags,
err) == 0)
nftnl_expr_set_u32(e, NFTNL_EXP
[PATCH] Add support for masq port selection
Complete masquerading support by allowing port range selection.
Signed-off-by: Shivani Bhardwaj
---
include/libnftnl/expr.h | 4 ++-
include/linux/netfilter/nf_tables.h | 2 ++
src/expr/masq.c | 64 ++---
3 files changed, 65 insertions(+), 5 deletions(-)
diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index 4a37581..ba5c605 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -166,7 +166,9 @@ enum {
};
enum {
- NFTNL_EXPR_MASQ_FLAGS = NFTNL_EXPR_BASE,
+ NFTNL_EXPR_MASQ_REG_PROTO_MIN = NFTNL_EXPR_BASE,
+ NFTNL_EXPR_MASQ_REG_PROTO_MAX,
+ NFTNL_EXPR_MASQ_FLAGS,
};
enum {
diff --git a/include/linux/netfilter/nf_tables.h
b/include/linux/netfilter/nf_tables.h
index 9796d82..c17615a 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -924,6 +924,8 @@ enum nft_nat_attributes {
enum nft_masq_attributes {
NFTA_MASQ_UNSPEC,
NFTA_MASQ_FLAGS,
+ NFTA_MASQ_REG_PROTO_MIN,
+ NFTA_MASQ_REG_PROTO_MAX,
__NFTA_MASQ_MAX
};
#define NFTA_MASQ_MAX (__NFTA_MASQ_MAX - 1)
diff --git a/src/expr/masq.c b/src/expr/masq.c
index 01512b4..e7c9ec7 100644
--- a/src/expr/masq.c
+++ b/src/expr/masq.c
@@ -21,7 +21,9 @@
#include
struct nftnl_expr_masq {
- uint32_tflags;
+ uint32_tflags;
+ enum nft_registers sreg_proto_min;
+ enum nft_registers sreg_proto_max;
};
static int
@@ -31,6 +33,12 @@ nftnl_expr_masq_set(struct nftnl_expr *e, uint16_t type,
struct nftnl_expr_masq *masq = nftnl_expr_data(e);
switch (type) {
+ case NFTNL_EXPR_MASQ_REG_PROTO_MIN:
+ masq->sreg_proto_min = *((uint32_t *)data);
+ break;
+ case NFTNL_EXPR_MASQ_REG_PROTO_MAX:
+ masq->sreg_proto_max = *((uint32_t *)data);
+ break;
case NFTNL_EXPR_MASQ_FLAGS:
masq->flags = *((uint32_t *)data);
break;
@@ -47,6 +55,12 @@ nftnl_expr_masq_get(const struct nftnl_expr *e, uint16_t
type,
struct nftnl_expr_masq *masq = nftnl_expr_data(e);
switch (type) {
+ case NFTNL_EXPR_MASQ_REG_PROTO_MIN:
+ *data_len = sizeof(masq->sreg_proto_min);
+ return &masq->sreg_proto_min;
+ case NFTNL_EXPR_MASQ_REG_PROTO_MAX:
+ *data_len = sizeof(masq->sreg_proto_max);
+ return &masq->sreg_proto_max;
case NFTNL_EXPR_MASQ_FLAGS:
*data_len = sizeof(masq->flags);
return &masq->flags;
@@ -63,6 +77,8 @@ static int nftnl_expr_masq_cb(const struct nlattr *attr, void
*data)
return MNL_CB_OK;
switch (type) {
+ case NFTA_MASQ_REG_PROTO_MIN:
+ case NFTA_MASQ_REG_PROTO_MAX:
case NFTA_MASQ_FLAGS:
if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
abi_breakage();
@@ -78,6 +94,12 @@ nftnl_expr_masq_build(struct nlmsghdr *nlh, struct
nftnl_expr *e)
{
struct nftnl_expr_masq *masq = nftnl_expr_data(e);
+ if (e->flags & (1 << NFTNL_EXPR_MASQ_REG_PROTO_MIN))
+ mnl_attr_put_u32(nlh, NFTA_MASQ_REG_PROTO_MIN,
+htobe32(masq->sreg_proto_min));
+ if (e->flags & (1 << NFTNL_EXPR_MASQ_REG_PROTO_MAX))
+ mnl_attr_put_u32(nlh, NFTA_MASQ_REG_PROTO_MAX,
+htobe32(masq->sreg_proto_max));
if (e->flags & (1 << NFTNL_EXPR_MASQ_FLAGS))
mnl_attr_put_u32(nlh, NFTA_MASQ_FLAGS, htobe32(masq->flags));
}
@@ -91,6 +113,16 @@ nftnl_expr_masq_parse(struct nftnl_expr *e, struct nlattr
*attr)
if (mnl_attr_parse_nested(attr, nftnl_expr_masq_cb, tb) < 0)
return -1;
+ if (tb[NFTA_MASQ_REG_PROTO_MIN]) {
+ masq->sreg_proto_min =
+ be32toh(mnl_attr_get_u32(tb[NFTA_MASQ_REG_PROTO_MIN]));
+ e->flags |= (1 << NFTNL_EXPR_MASQ_REG_PROTO_MIN);
+ }
+ if (tb[NFTA_MASQ_REG_PROTO_MAX]) {
+ masq->sreg_proto_max =
+ be32toh(mnl_attr_get_u32(tb[NFTA_MASQ_REG_PROTO_MAX]));
+ e->flags |= (1 << NFTNL_EXPR_MASQ_REG_PROTO_MAX);
+ }
if (tb[NFTA_MASQ_FLAGS]) {
masq->flags = be32toh(mnl_attr_get_u32(tb[NFTA_MASQ_FLAGS]));
e->flags |= (1 << NFTNL_EXPR_MASQ_FLAGS);
@@ -104,8 +136,14 @@ nftnl_expr_masq_json_parse(struct nftnl_expr *e, json_t
*root,
struct nftnl_parse_err *err)
{
#ifdef JSON_PARSING
- uint32_t flags;
-
+ uint32_t reg, flags;
+
+ if (nftnl_jansson_parse_reg(root, "sreg_proto_min", NFTNL_TYPE_U32,
+ ®, err)
