Re: [PATCH] extensions: libxt_sctp: Add translation to nft
On Wed, Mar 02, 2016 at 07:44:51PM +0530, Shivani Bhardwaj wrote:
> On Wed, Mar 2, 2016 at 5:24 PM, Pablo Neira Ayuso wrote:
> > On Wed, Mar 02, 2016 at 12:48:26PM +0100, Pablo Neira Ayuso wrote:
> >> On Wed, Mar 02, 2016 at 02:10:56AM +0530, Shivani Bhardwaj wrote:
> >> > Add translation for sctp to nftables.
> >> > Full translation of this match awaits the support for --chunk-types
> >> > option.
> >>
> >> Please, keep this documented in the wiki too so we remember there is a
> >> partial translation for this.
> >>
> >> > Examples:
> >> >
> >> > $ sudo iptables-translate -A INPUT -p sctp --dport 80 -j DROP
> >> > nft add rule ip filter INPUT sctp dport 80 counter drop
> >> >
> >> > $ sudo iptables-translate -A INPUT -p sctp ! --sport 80:100 -j ACCEPT
> >> > nft add rule ip filter INPUT sctp sport != 80-100 counter accept
> >>
> >> Applied, thanks Shivani.
> >
> > Sorry, I have to keep this back.
> >
> > This crazy thing seems to be valid:
> >
> > iptables -I INPUT -p sctp -m sctp
> >
> > and this will be translated as:
> >
> > nft add rule filter INPUT ip protocol sctp sctp
>
> dmesg shows me
>
> x_tables: ip_tables: sctp match: only valid for protocol 132
This happens when:
iptables -I INPUT -m sctp
> means sctp match is valid for sctp protocol. There should not be an
> sctp match (correct me if I am wrong here), should this be on
> bugzilla?
What I suggest is this:
const struct xt_sctp_info *einfo =
(const struct xt_sctp_info *)match->data;
if (!einfo->flags) <--
return 0;
xt_xlate_add(xl, "sctp ");
if (einfo->flags & XT_SCTP_SRC_PORTS) {
Just skip if there is not flags set.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] extensions: libxt_sctp: Add translation to nft
On Wed, Mar 02, 2016 at 03:47:32PM +0100, Jan Engelhardt wrote: > > On Wednesday 2016-03-02 15:14, Shivani Bhardwaj wrote: > >> > >> This crazy thing seems to be valid: > >> > >> iptables -I INPUT -p sctp -m sctp > > This is how all protocols are loaded. It can be readily seen > in a iptables-save dump. One tests the L3 header field, the other > loads the module for further options to do tests on L4 fields. > > >> > >> and this will be translated as: > >> > >> nft add rule filter INPUT ip protocol sctp sctp > > that seems correct, does it not? That translation is not correct in nft: # nft add rule filter INPUT ip protocol sctp sctp :1:44-44: Error: syntax error, unexpected end of file, expecting checksum or sport or dport or vtag add rule filter INPUT ip protocol sctp sctp -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] extensions: libxt_sctp: Add translation to nft
On Wednesday 2016-03-02 15:14, Shivani Bhardwaj wrote: >> >> This crazy thing seems to be valid: >> >> iptables -I INPUT -p sctp -m sctp This is how all protocols are loaded. It can be readily seen in a iptables-save dump. One tests the L3 header field, the other loads the module for further options to do tests on L4 fields. >> >> and this will be translated as: >> >> nft add rule filter INPUT ip protocol sctp sctp that seems correct, does it not? "sctp" is just a shorthand representation for "sctp port 1:65535". -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] extensions: libxt_sctp: Add translation to nft
On Wed, Mar 2, 2016 at 5:24 PM, Pablo Neira Ayuso wrote: > On Wed, Mar 02, 2016 at 12:48:26PM +0100, Pablo Neira Ayuso wrote: >> On Wed, Mar 02, 2016 at 02:10:56AM +0530, Shivani Bhardwaj wrote: >> > Add translation for sctp to nftables. >> > Full translation of this match awaits the support for --chunk-types >> > option. >> >> Please, keep this documented in the wiki too so we remember there is a >> partial translation for this. >> >> > Examples: >> > >> > $ sudo iptables-translate -A INPUT -p sctp --dport 80 -j DROP >> > nft add rule ip filter INPUT sctp dport 80 counter drop >> > >> > $ sudo iptables-translate -A INPUT -p sctp ! --sport 80:100 -j ACCEPT >> > nft add rule ip filter INPUT sctp sport != 80-100 counter accept >> >> Applied, thanks Shivani. > > Sorry, I have to keep this back. > > This crazy thing seems to be valid: > > iptables -I INPUT -p sctp -m sctp > > and this will be translated as: > > nft add rule filter INPUT ip protocol sctp sctp dmesg shows me x_tables: ip_tables: sctp match: only valid for protocol 132 means sctp match is valid for sctp protocol. There should not be an sctp match (correct me if I am wrong here), should this be on bugzilla? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] extensions: libxt_sctp: Add translation to nft
On Wed, Mar 02, 2016 at 12:48:26PM +0100, Pablo Neira Ayuso wrote: > On Wed, Mar 02, 2016 at 02:10:56AM +0530, Shivani Bhardwaj wrote: > > Add translation for sctp to nftables. > > Full translation of this match awaits the support for --chunk-types > > option. > > Please, keep this documented in the wiki too so we remember there is a > partial translation for this. > > > Examples: > > > > $ sudo iptables-translate -A INPUT -p sctp --dport 80 -j DROP > > nft add rule ip filter INPUT sctp dport 80 counter drop > > > > $ sudo iptables-translate -A INPUT -p sctp ! --sport 80:100 -j ACCEPT > > nft add rule ip filter INPUT sctp sport != 80-100 counter accept > > Applied, thanks Shivani. Sorry, I have to keep this back. This crazy thing seems to be valid: iptables -I INPUT -p sctp -m sctp and this will be translated as: nft add rule filter INPUT ip protocol sctp sctp -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] extensions: libxt_sctp: Add translation to nft
On Wed, Mar 02, 2016 at 02:10:56AM +0530, Shivani Bhardwaj wrote: > Add translation for sctp to nftables. > Full translation of this match awaits the support for --chunk-types > option. Please, keep this documented in the wiki too so we remember there is a partial translation for this. > Examples: > > $ sudo iptables-translate -A INPUT -p sctp --dport 80 -j DROP > nft add rule ip filter INPUT sctp dport 80 counter drop > > $ sudo iptables-translate -A INPUT -p sctp ! --sport 80:100 -j ACCEPT > nft add rule ip filter INPUT sctp sport != 80-100 counter accept Applied, thanks Shivani. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
