On Fri, Mar 04, 2016 at 03:31:45AM +0530, Shivani Bhardwaj wrote:
> Add translation for dccp to nftables.
>
> Full translation of this match awaits the support for --dccp-option.
>
> Examples:
>
> $ sudo iptables-translate -A INPUT -p dccp -m dccp --sport 100
> nft add rule ip filter INPUT dccp sport 100 counter
>
> $ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100:200
> nft add rule ip filter INPUT dccp dport 100-200 counter
>
> $ sudo iptables-translate -A INPUT -p dccp -m dccp ! --dport 100
> nft add rule ip filter INPUT dccp dport != 100 counter
>
> $ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100 --dccp-types REQUEST,RESPONSE,DATA,ACK,DATAACK,CLOSEREQ,CLOSE,SYNC,SYNCACK
> nft add rule ip filter INPUT dccp dport 100 dccp type {request, response, data, ack, dataack, closereq, close, sync, syncack} counter
>
> Signed-off-by: Shivani Bhardwaj <shivanib134@xxxxxxxxx>
> ---
> Changes in v3:
> Return 0 if translation for dccp-option is demanded
>
> Changes in v2:
> Fix bugs and remove invalid dccp type
>
> Following is not added in commit message as it is not translation code
> issue:
> * Since inversion of set is not possible in nftables, using dccp
> with rules like
> ...dccp type != {request, response}..
> * dccp type reset
> is going to throw errors.
>
> extensions/libxt_dccp.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 92 insertions(+)
>
> diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
> index a35cabb..0d4f369 100644
> --- a/extensions/libxt_dccp.c
> +++ b/extensions/libxt_dccp.c
> @@ -277,6 +277,97 @@ static void dccp_save(const void *ip, const struct xt_entry_match *match)
> }
> }
>
> +static const char *const dccp_pkt_types_xlate[] = {
> + [DCCP_PKT_REQUEST] = "request",
> + [DCCP_PKT_RESPONSE] = "response",
> + [DCCP_PKT_DATA] = "data",
> + [DCCP_PKT_ACK] = "ack",
> + [DCCP_PKT_DATAACK] = "dataack",
> + [DCCP_PKT_CLOSEREQ] = "closereq",
> + [DCCP_PKT_CLOSE] = "close",
> + [DCCP_PKT_RESET] = "reset",
> + [DCCP_PKT_SYNC] = "sync",
> + [DCCP_PKT_SYNCACK] = "syncack",
> +};
> +
> +static int dccp_type_xlate(const struct xt_dccp_info *einfo,
> + struct xt_xlate *xl)
> +{
> + bool have_type = false, set_need = false;
> + uint16_t types = einfo->typemask;
> +
> + if (types & (1 << DCCP_PKT_INVALID))
> + return 0;
> +
> + xt_xlate_add(xl, "dccp type%s ", einfo->invflags ? " !=" : "");
> +
> + if ((types != 0) && !(types == (types & -types))) {
> + xt_xlate_add(xl, "{");
> + set_need = true;
> + }
> +
> + while (types) {
> + unsigned int i;
> +
> + for (i = 0; !(types & (1 << i)); i++);
> +
> + if (have_type)
> + xt_xlate_add(xl, ", ");
> + else
> + have_type = true;
> +
> + xt_xlate_add(xl, "%s", dccp_pkt_types_xlate[i]);
> +
> + types &= ~(1 << i);
> + }
> +
> + if (set_need)
> + xt_xlate_add(xl, "}");
> +
> + xt_xlate_add(xl, " ");
> +
> + return 1;
> +}
> +
> +static int dccp_xlate(const struct xt_entry_match *match,
> + struct xt_xlate *xl, int numeric)
> +{
> + const struct xt_dccp_info *einfo =
> + (const struct xt_dccp_info *)match->data;
> + int ret = 1;
> +
> + xt_xlate_add(xl, "dccp ");
> +
> + if (einfo->flags & XT_DCCP_SRC_PORTS) {
> + if (einfo->spts[0] != einfo->spts[1])
> + xt_xlate_add(xl, "sport%s %u-%u ",
> + einfo->invflags & XT_DCCP_SRC_PORTS ? " !=" : "",
> + einfo->spts[0], einfo->spts[1]);
> + else
> + xt_xlate_add(xl, "sport%s %u ",
> + einfo->invflags & XT_DCCP_SRC_PORTS ? " !=" : "",
> + einfo->spts[0]);
> + }
> +
> + if (einfo->flags & XT_DCCP_DEST_PORTS) {
> + if (einfo->dpts[0] != einfo->dpts[1])
> + xt_xlate_add(xl, "dport%s %u-%u ",
> + einfo->invflags & XT_DCCP_DEST_PORTS ? " !=" : "",
> + einfo->dpts[0], einfo->dpts[1]);
> + else
> + xt_xlate_add(xl, "dport%s %u ",
> + einfo->invflags & XT_DCCP_DEST_PORTS ? " !=" : "",
> + einfo->dpts[0]);
> + }
> +
> + if (einfo->flags & XT_DCCP_TYPE)
> + ret = dccp_type_xlate(einfo, xl);
> +
> + if (einfo->flags & XT_DCCP_OPTION)
> + ret = 0;
Shouldn't you check fot this XT_DCCP_OPTION in first place?
Or you achieve the same effect? I don't remember how this is behaving
when we already translated many things but just one thing got left
behind.
> +
> + return ret;
> +}
> static struct xtables_match dccp_match = {
> .name = "dccp",
> .family = NFPROTO_UNSPEC,
> @@ -288,6 +379,7 @@ static struct xtables_match dccp_match = {
> .save = dccp_save,
> .x6_parse = dccp_parse,
> .x6_options = dccp_opts,
> + .xlate = dccp_xlate,
> };
>
> void _init(void)
> --
> 1.9.1
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
