From aa98227ce600cf52dbcf41e26002db1f5395a871 Mon Sep 17 00:00:00 2001 From: Liping Zhang Date: Sun, 25 Dec 2016 20:27:51 +0800 Subject: extensions: libxt_connbytes: Add translation to nft For example: # iptables-translate -A OUTPUT -m connbytes --connbytes 200 \ --connbytes-dir original --connbytes-mode packets nft add rule ip filter OUTPUT ct original packets ge 200 counter # iptables-translate -A OUTPUT -m connbytes ! --connbytes 200 \ --connbytes-dir reply --connbytes-mode packets nft add rule ip filter OUTPUT ct reply packets lt 200 counter # iptables-translate -A OUTPUT -m connbytes --connbytes 200:600 \ --connbytes-dir both --connbytes-mode bytes nft add rule ip filter OUTPUT ct bytes 200-600 counter # iptables-translate -A OUTPUT -m connbytes ! --connbytes 200:600 \ --connbytes-dir both --connbytes-mode bytes nft add rule ip filter OUTPUT ct bytes != 200-600 counter # iptables-translate -A OUTPUT -m connbytes --connbytes 200:200 \ --connbytes-dir both --connbytes-mode avgpkt nft add rule ip filter OUTPUT ct avgpkt 200 counter Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_connbytes.c | 56 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/extensions/libxt_connbytes.c b/extensions/libxt_connbytes.c index ed2ad25d..b57f0fc0 100644 --- a/extensions/libxt_connbytes.c +++ b/extensions/libxt_connbytes.c @@ -156,6 +156,61 @@ static void connbytes_save(const void *ip, const struct xt_entry_match *match) print_direction(sinfo); } + +static int connbytes_xlate(struct xt_xlate *xl, + const struct xt_xlate_mt_params *params) +{ + const struct xt_connbytes_info *info = (void *)params->match->data; + unsigned long long from, to; + bool invert = false; + + xt_xlate_add(xl, "ct "); + + switch (info->direction) { + case XT_CONNBYTES_DIR_ORIGINAL: + xt_xlate_add(xl, "original "); + break; + case XT_CONNBYTES_DIR_REPLY: + xt_xlate_add(xl, "reply "); + break; + case XT_CONNBYTES_DIR_BOTH: + break; + default: + return 0; + } + + switch (info->what) { + case XT_CONNBYTES_PKTS: + xt_xlate_add(xl, "packets "); + break; + case XT_CONNBYTES_BYTES: + xt_xlate_add(xl, "bytes "); + break; + case XT_CONNBYTES_AVGPKT: + xt_xlate_add(xl, "avgpkt "); + break; + default: + return 0; + } + + if (info->count.from > info->count.to) { + invert = true; + from = info->count.to; + to = info->count.from; + } else { + to = info->count.to; + from = info->count.from; + } + + if (from == to) + xt_xlate_add(xl, "%llu", from); + else if (to == UINT64_MAX) + xt_xlate_add(xl, "%s %llu", invert ? "lt" : "ge", from); + else + xt_xlate_add(xl, "%s%llu-%llu", invert ? "!= " : "", from, to); + return 1; +} + static struct xtables_match connbytes_match = { .family = NFPROTO_UNSPEC, .name = "connbytes", @@ -167,6 +222,7 @@ static struct xtables_match connbytes_match = { .save = connbytes_save, .x6_parse = connbytes_parse, .x6_options = connbytes_opts, + .xlate = connbytes_xlate, }; void _init(void) -- cgit v1.2.3 From 1123e6a069123756c6c73d5557d06bc5fc31497e Mon Sep 17 00:00:00 2001 From: Liping Zhang Date: Sat, 7 Jan 2017 22:26:46 +0800 Subject: extensions: libxt_rpfilter: add translation to nft For example: # iptables-translate -t mangle -A PREROUTING -m rpfilter nft add rule ip mangle PREROUTING fib saddr . iif oif != 0 counter # iptables-translate -t mangle -A PREROUTING -m rpfilter --validmark \ --loose nft add rule ip mangle PREROUTING fib saddr . mark oif != 0 counter # ip6tables-translate -t mangle -A PREROUTING -m rpfilter --validmark \ --invert nft add rule ip6 mangle PREROUTING fib saddr . mark . iif oif 0 counter Finally, when the "--accept-local" option is specified, we can combine with "fib saddr type" to simulate it. But when it is used like this: "-m rpfilter --accept-local", it means "||" relationship, so we cannot translate it to one single nft rule, translation is not supported yet: # iptables-translate -t mangle -A PREROUTING -m rpfilter --accept-local nft # -t mangle -A PREROUTING -m rpfilter --accept-local When "--accpet-local" is combined with "--invert", it means "&&" relationship, so translation can be: # iptables-translate -t mangle -A PREROUTING -m rpfilter \ --accept-local --invert nft add rule ip mangle PREROUTING fib saddr type != local fib saddr \ . iif oif 0 counter Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_rpfilter.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/extensions/libxt_rpfilter.c b/extensions/libxt_rpfilter.c index 168e703f..d166baa2 100644 --- a/extensions/libxt_rpfilter.c +++ b/extensions/libxt_rpfilter.c @@ -77,6 +77,31 @@ static void rpfilter_save(const void *ip, const struct xt_entry_match *match) return rpfilter_print_prefix(ip, match->data, "--"); } +static int rpfilter_xlate(struct xt_xlate *xl, + const struct xt_xlate_mt_params *params) +{ + const struct xt_rpfilter_info *info = (void *)params->match->data; + bool invert = info->flags & XT_RPFILTER_INVERT; + + if (info->flags & XT_RPFILTER_ACCEPT_LOCAL) { + if (invert) + xt_xlate_add(xl, "fib saddr type != local "); + else + return 0; + } + + xt_xlate_add(xl, "fib saddr "); + + if (info->flags & XT_RPFILTER_VALID_MARK) + xt_xlate_add(xl, ". mark "); + if (!(info->flags & XT_RPFILTER_LOOSE)) + xt_xlate_add(xl, ". iif "); + + xt_xlate_add(xl, "oif %s0", invert ? "" : "!= "); + + return 1; +} + static struct xtables_match rpfilter_match = { .family = NFPROTO_UNSPEC, .name = "rpfilter", @@ -88,6 +113,7 @@ static struct xtables_match rpfilter_match = { .save = rpfilter_save, .x6_parse = rpfilter_parse, .x6_options = rpfilter_opts, + .xlate = rpfilter_xlate, }; void _init(void) -- cgit v1.2.3 From 96472f872800db05bb7d66db827dbd9c76e28ea6 Mon Sep 17 00:00:00 2001 From: Thomas Habets Date: Wed, 18 Jan 2017 08:58:13 -0500 Subject: iptables-save: exit with error if unable to open proc file Signed-off-by: Florian Westphal --- iptables/ip6tables-save.c | 14 ++++++++++---- iptables/iptables-save.c | 14 ++++++++++---- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c index f35e921e..053413a9 100644 --- a/iptables/ip6tables-save.c +++ b/iptables/ip6tables-save.c @@ -35,10 +35,16 @@ static int for_each_table(int (*func)(const char *tablename)) int ret = 1; FILE *procfile = NULL; char tablename[XT_TABLE_MAXNAMELEN+1]; - - procfile = fopen("/proc/net/ip6_tables_names", "re"); - if (!procfile) - return ret; + static const char filename[] = "/proc/net/ip6_tables_names"; + + procfile = fopen(filename, "re"); + if (!procfile) { + if (errno == ENOENT) + return ret; + fprintf(stderr, "Failed to list table names in %s: %s\n", + filename, strerror(errno)); + exit(1); + } while (fgets(tablename, sizeof(tablename), procfile)) { if (tablename[strlen(tablename) - 1] != '\n') diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c index 238f368e..e8ae9c6c 100644 --- a/iptables/iptables-save.c +++ b/iptables/iptables-save.c @@ -33,10 +33,16 @@ static int for_each_table(int (*func)(const char *tablename)) int ret = 1; FILE *procfile = NULL; char tablename[XT_TABLE_MAXNAMELEN+1]; - - procfile = fopen("/proc/net/ip_tables_names", "re"); - if (!procfile) - return ret; + static const char filename[] = "/proc/net/ip_tables_names"; + + procfile = fopen(filename, "re"); + if (!procfile) { + if (errno == ENOENT) + return ret; + fprintf(stderr, "Failed to list table names in %s: %s\n", + filename, strerror(errno)); + exit(1); + } while (fgets(tablename, sizeof(tablename), procfile)) { if (tablename[strlen(tablename) - 1] != '\n') -- cgit v1.2.3 From 7df66f1c13563cfbab75246b009ce36f69ee4487 Mon Sep 17 00:00:00 2001 From: Shyam Saini Date: Thu, 26 Jan 2017 14:49:50 +0530 Subject: iptables: fix the wrong appending of jump verdict after the comment. Fix wrong appending of jump verdict after the comment For example: $ iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar" nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment \"foobar\"jump LONGNACCEPT Note that even without comment with double-quotes (i.e. --comment "foobar"), it will add quotes: $ iptables-translate -A FORWARD -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j DROP -m comment --comment singlecomment nft add rule ip filter FORWARD ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment \"singlecomment\"drop Attempting to apply the translated/generated rule will result to: $ nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment \"foobar\"jump LONGNACCEPT :1:111-114: Error: syntax error, unexpected jump, expecting endof file or newline or semicolon add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment "foobar"jump LONGNACCEPT After this patch $ iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar" nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter jump LONGNACCEPT comment \"foobar\" which is correct translation Signed-off-by: Shyam Saini Reviewed-by: Shivani Bhardwaj Signed-off-by: Pablo Neira Ayuso --- iptables/nft-ipv4.c | 5 ++--- iptables/nft-ipv6.c | 5 ++--- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 52b1bed2..e5947a7c 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -489,12 +489,11 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl) /* Always add counters per rule, as in iptables */ xt_xlate_add(xl, "counter "); + ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), xl); comment = xt_xlate_get_comment(xl); if (comment) - xt_xlate_add(xl, "comment %s", comment); - - ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), xl); + xt_xlate_add(xl, " comment %s", comment); return ret; } diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index c475b8e9..9cf4058f 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -438,12 +438,11 @@ static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl) /* Always add counters per rule, as in iptables */ xt_xlate_add(xl, "counter "); + ret = xlate_action(cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO), xl); comment = xt_xlate_get_comment(xl); if (comment) - xt_xlate_add(xl, "comment %s", comment); - - ret = xlate_action(cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO), xl); + xt_xlate_add(xl, " comment %s", comment); return ret; } -- cgit v1.2.3