Re: [PATCH v3] libxt_multiport: Add translation to nft

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Thu, 10 Mar 2016 19:31:47 +0100

On Thu, Mar 10, 2016 at 06:20:48PM +0530, Piyush Pangtey wrote:
> Added full translation for multiport
> 
> Examples :
> $ iptables-translate -A input -p tcp -m multiport --ports ssh:http -j ACCEPT
> nft add rule ip filter input ip protocol tcp tcp dport { ssh - http } tcp sport
> { ssh - http } counter accept
> 
> $ iptables-translate -A input -p sctp -m multiport --dports 11:18  -j ACCEPT
> nft add rule ip filter input ip protocol sctp sctp dport { 11 - 18 } counter
> accept
> 
> $ iptables-translate -A input -p dccp -m multiport --sports 11:18 -j ACCEPT
> nft add rule ip filter input ip protocol dccp dccp sport { 11 - 18 } counter
> accept
> 
> $ ip6tables-translate -A input -p udplite -m multiport --sports 11:18 -j ACCEPT
> nft add rule ip6 filter input meta l4proto udplite udplite sport { 11 - 18 }
> counter accept
> 
> Signed-off-by: Piyush Pangtey <gokuvsvegita@xxxxxxxxx>
> ---
> v2:
> 	Corrected the translations , as suggested by Arturo Borrero González
> v3:
> 	Removed static variable trick. Now utilizes ipt_ip and ip6t_ip which
> 	is now passed to xlate ,from the patch
> 	http://patchwork.ozlabs.org/patch/595128/
> 
> Signed-off-by: Piyush Pangtey <gokuvsvegita@xxxxxxxxx>
> ---
>  extensions/libxt_multiport.c | 199 +++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 199 insertions(+)
> 
> diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
> index 03af5a9..4dccc1b 100644
> --- a/extensions/libxt_multiport.c
> +++ b/extensions/libxt_multiport.c
> @@ -278,6 +278,18 @@ print_port(uint16_t port, uint8_t protocol, int numeric)
>  }
>  
>  static void
> +print_port_xlate(struct xt_xlate *xl, uint16_t port, uint8_t protocol,
> +		int numeric)
> +{
> +	const char *service;
> +
> +	if (numeric || (service = port_to_service(port, protocol)) == NULL)
> +		xt_xlate_add(xl, "%u", port);
> +	else
> +		xt_xlate_add(xl, "%s", service);
> +}
> +
> +static void
>  __multiport_print(const struct xt_entry_match *match, int numeric,
>                    uint16_t proto)
>  {
> @@ -318,6 +330,20 @@ static void multiport_print(const void *ip_void,
>  	__multiport_print(match, numeric, ip->proto);
>  }
>  
> +static void multiport_print_xlate(const struct xt_entry_match *match,
> +				 struct xt_xlate *xl, uint16_t proto,
> +				 int numeric)
> +{
> +	const struct xt_multiport_v1 *multiinfo =
> +		(const struct xt_multiport_v1 *)match->data;
> +	unsigned int i;

Missing line break here.

> +	for (i = 0; i < multiinfo->count; i++) {
> +		xt_xlate_add(xl, "%s", i ? "," : "");
> +		print_port_xlate(xl, multiinfo->ports[i],
> +				proto, numeric);
> +	}
> +}
> +
>  static void multiport_print6(const void *ip_void,
>                               const struct xt_entry_match *match, int numeric)
>  {
> @@ -372,6 +398,24 @@ static void multiport_print_v1(const void *ip_void,
>  	__multiport_print_v1(match, numeric, ip->proto);
>  }
>  
> +static void multiport_print_v1_xlate(const struct xt_entry_match *match,
> +				    struct xt_xlate *xl, uint16_t proto,
> +				    int numeric)
> +{
> +	const struct xt_multiport_v1 *multiinfo =
> +		(const struct xt_multiport_v1 *)match->data;
> +	unsigned int i;

Missing line break here to separate variable declaration and function
body.

> +	for (i = 0; i < multiinfo->count; i++) {
> +		xt_xlate_add(xl, "%s", i ? "," : "");
> +		print_port_xlate(xl, multiinfo->ports[i], proto, numeric);
> +		if (multiinfo->pflags[i]) {
> +			xt_xlate_add(xl, " - ");
> +			print_port_xlate(xl, multiinfo->ports[++i],
> +					proto, numeric);
> +		}
> +	}
> +}
> +
>  static void multiport_print6_v1(const void *ip_void,
>                                  const struct xt_entry_match *match, int numeric)
>  {
> @@ -468,6 +512,157 @@ static void multiport_save6_v1(const void *ip_void,
>  	__multiport_save_v1(match, ip->proto);
>  }
>  
> +static int __multiport_xlate(const struct xt_entry_match *match,
> +			    struct xt_xlate *xl, uint16_t protocol, int numeric)
> +{
> +	const struct xt_multiport_v1 *multiinfo =
> +		(const struct xt_multiport_v1 *)match->data;
> +	const char *proto_name;
> +	bool have_multiple = false, have_invert = false ;
                                                       ^
remove this space.

> +
> +	if((proto_name = proto_to_name(protocol)) != NULL){
          ^                                               ^

missing space after if.

> +		if (multiinfo->count > 1) have_multiple = true;

                if (multiinfo->count > 1)
                        have_multiple = true;

Please, review coding style and resubmit. Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html