On Mon, Mar 7, 2016 at 8:09 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On Fri, Mar 04, 2016 at 03:31:45AM +0530, Shivani Bhardwaj wrote:
>> Add translation for dccp to nftables.
>>
>> Full translation of this match awaits the support for --dccp-option.
>>
>> Examples:
>>
>> $ sudo iptables-translate -A INPUT -p dccp -m dccp --sport 100
>> nft add rule ip filter INPUT dccp sport 100 counter
>>
>> $ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100:200
>> nft add rule ip filter INPUT dccp dport 100-200 counter
>>
>> $ sudo iptables-translate -A INPUT -p dccp -m dccp ! --dport 100
>> nft add rule ip filter INPUT dccp dport != 100 counter
>>
>> $ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100 --dccp-types REQUEST,RESPONSE,DATA,ACK,DATAACK,CLOSEREQ,CLOSE,SYNC,SYNCACK
>> nft add rule ip filter INPUT dccp dport 100 dccp type {request, response, data, ack, dataack, closereq, close, sync, syncack} counter
>>
>> Signed-off-by: Shivani Bhardwaj <shivanib134@xxxxxxxxx>
>> ---
>> Changes in v3:
>> Return 0 if translation for dccp-option is demanded
>>
>> Changes in v2:
>> Fix bugs and remove invalid dccp type
>>
>> Following is not added in commit message as it is not translation code
>> issue:
>> * Since inversion of set is not possible in nftables, using dccp
>> with rules like
>> ...dccp type != {request, response}..
>> * dccp type reset
>> is going to throw errors.
>>
>> extensions/libxt_dccp.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++
>> 1 file changed, 92 insertions(+)
>>
>> diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c
>> index a35cabb..0d4f369 100644
>> --- a/extensions/libxt_dccp.c
>> +++ b/extensions/libxt_dccp.c
>> @@ -277,6 +277,97 @@ static void dccp_save(const void *ip, const struct xt_entry_match *match)
>> }
>> }
>>
>> +static const char *const dccp_pkt_types_xlate[] = {
>> + [DCCP_PKT_REQUEST] = "request",
>> + [DCCP_PKT_RESPONSE] = "response",
>> + [DCCP_PKT_DATA] = "data",
>> + [DCCP_PKT_ACK] = "ack",
>> + [DCCP_PKT_DATAACK] = "dataack",
>> + [DCCP_PKT_CLOSEREQ] = "closereq",
>> + [DCCP_PKT_CLOSE] = "close",
>> + [DCCP_PKT_RESET] = "reset",
>> + [DCCP_PKT_SYNC] = "sync",
>> + [DCCP_PKT_SYNCACK] = "syncack",
>> +};
>> +
>> +static int dccp_type_xlate(const struct xt_dccp_info *einfo,
>> + struct xt_xlate *xl)
>> +{
>> + bool have_type = false, set_need = false;
>> + uint16_t types = einfo->typemask;
>> +
>> + if (types & (1 << DCCP_PKT_INVALID))
>> + return 0;
>> +
>> + xt_xlate_add(xl, "dccp type%s ", einfo->invflags ? " !=" : "");
>> +
>> + if ((types != 0) && !(types == (types & -types))) {
>> + xt_xlate_add(xl, "{");
>> + set_need = true;
>> + }
>> +
>> + while (types) {
>> + unsigned int i;
>> +
>> + for (i = 0; !(types & (1 << i)); i++);
>> +
>> + if (have_type)
>> + xt_xlate_add(xl, ", ");
>> + else
>> + have_type = true;
>> +
>> + xt_xlate_add(xl, "%s", dccp_pkt_types_xlate[i]);
>> +
>> + types &= ~(1 << i);
>> + }
>> +
>> + if (set_need)
>> + xt_xlate_add(xl, "}");
>> +
>> + xt_xlate_add(xl, " ");
>> +
>> + return 1;
>> +}
>> +
>> +static int dccp_xlate(const struct xt_entry_match *match,
>> + struct xt_xlate *xl, int numeric)
>> +{
>> + const struct xt_dccp_info *einfo =
>> + (const struct xt_dccp_info *)match->data;
>> + int ret = 1;
>> +
>> + xt_xlate_add(xl, "dccp ");
>> +
>> + if (einfo->flags & XT_DCCP_SRC_PORTS) {
>> + if (einfo->spts[0] != einfo->spts[1])
>> + xt_xlate_add(xl, "sport%s %u-%u ",
>> + einfo->invflags & XT_DCCP_SRC_PORTS ? " !=" : "",
>> + einfo->spts[0], einfo->spts[1]);
>> + else
>> + xt_xlate_add(xl, "sport%s %u ",
>> + einfo->invflags & XT_DCCP_SRC_PORTS ? " !=" : "",
>> + einfo->spts[0]);
>> + }
>> +
>> + if (einfo->flags & XT_DCCP_DEST_PORTS) {
>> + if (einfo->dpts[0] != einfo->dpts[1])
>> + xt_xlate_add(xl, "dport%s %u-%u ",
>> + einfo->invflags & XT_DCCP_DEST_PORTS ? " !=" : "",
>> + einfo->dpts[0], einfo->dpts[1]);
>> + else
>> + xt_xlate_add(xl, "dport%s %u ",
>> + einfo->invflags & XT_DCCP_DEST_PORTS ? " !=" : "",
>> + einfo->dpts[0]);
>> + }
>> +
>> + if (einfo->flags & XT_DCCP_TYPE)
>> + ret = dccp_type_xlate(einfo, xl);
>> +
>> + if (einfo->flags & XT_DCCP_OPTION)
>> + ret = 0;
>
> Shouldn't you check fot this XT_DCCP_OPTION in first place?
>
> Or you achieve the same effect? I don't remember how this is behaving
> when we already translated many things but just one thing got left
> behind.
>
This gives the same effect.
$ sudo iptables-translate -A INPUT -p dccp -m dccp --sport 100 --dccp-option 1
nft # -A INPUT -p dccp -m dccp --sport 100 --dccp-option 1
Please let me know if you're referring to something else.
>
>> +
>> + return ret;
>> +}
>> static struct xtables_match dccp_match = {
>> .name = "dccp",
>> .family = NFPROTO_UNSPEC,
>> @@ -288,6 +379,7 @@ static struct xtables_match dccp_match = {
>> .save = dccp_save,
>> .x6_parse = dccp_parse,
>> .x6_options = dccp_opts,
>> + .xlate = dccp_xlate,
>> };
>>
>> void _init(void)
>> --
>> 1.9.1
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
>> the body of a message to majordomo@xxxxxxxxxxxxxxx
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
