Also translate plain '-m frag' match into an exthdr exists one.
Fixes: bd5bbc7a0fbd8 ("extensions: libip6t_frag: Add translation to nft")
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
extensions/libip6t_frag.c | 27 ++++++++++++++++++---------
extensions/libip6t_frag.t | 2 +-
extensions/libip6t_frag.txlate | 4 ++--
3 files changed, 21 insertions(+), 12 deletions(-)
diff --git a/extensions/libip6t_frag.c b/extensions/libip6t_frag.c
index 49c787e709a9e..ed7fe10a4716d 100644
--- a/extensions/libip6t_frag.c
+++ b/extensions/libip6t_frag.c
@@ -89,13 +89,18 @@ static void frag_parse(struct xt_option_call *cb)
}
}
+static bool skip_ids_match(uint32_t min, uint32_t max, bool inv)
+{
+ return min == 0 && max == UINT32_MAX && !inv;
+}
+
static void
print_ids(const char *name, uint32_t min, uint32_t max,
int invert)
{
const char *inv = invert ? "!" : "";
- if (min != 0 || max != 0xFFFFFFFF || invert) {
+ if (!skip_ids_match(min, max, invert)) {
printf("%s", name);
if (min == max)
printf(":%s%u", inv, min);
@@ -139,11 +144,10 @@ static void frag_print(const void *ip, const struct xt_entry_match *match,
static void frag_save(const void *ip, const struct xt_entry_match *match)
{
const struct ip6t_frag *fraginfo = (struct ip6t_frag *)match->data;
+ bool inv_ids = fraginfo->invflags & IP6T_FRAG_INV_IDS;
- if (!(fraginfo->ids[0] == 0
- && fraginfo->ids[1] == 0xFFFFFFFF)) {
- printf("%s --fragid ",
- (fraginfo->invflags & IP6T_FRAG_INV_IDS) ? " !" : "");
+ if (!skip_ids_match(fraginfo->ids[0], fraginfo->ids[1], inv_ids)) {
+ printf("%s --fragid ", inv_ids ? " !" : "");
if (fraginfo->ids[0]
!= fraginfo->ids[1])
printf("%u:%u",
@@ -173,22 +177,27 @@ static void frag_save(const void *ip, const struct xt_entry_match *match)
printf(" --fraglast");
}
+#define XLATE_FLAGS (IP6T_FRAG_RES | IP6T_FRAG_FST | \
+ IP6T_FRAG_MF | IP6T_FRAG_NMF)
+
static int frag_xlate(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
const struct ip6t_frag *fraginfo =
(struct ip6t_frag *)params->match->data;
+ bool inv_ids = fraginfo->invflags & IP6T_FRAG_INV_IDS;
- if (!(fraginfo->ids[0] == 0 && fraginfo->ids[1] == 0xFFFFFFFF)) {
- xt_xlate_add(xl, "frag id %s",
- (fraginfo->invflags & IP6T_FRAG_INV_IDS) ?
- "!= " : "");
+ if (!skip_ids_match(fraginfo->ids[0], fraginfo->ids[1], inv_ids)) {
+ xt_xlate_add(xl, "frag id %s", inv_ids ? "!= " : "");
if (fraginfo->ids[0] != fraginfo->ids[1])
xt_xlate_add(xl, "%u-%u", fraginfo->ids[0],
fraginfo->ids[1]);
else
xt_xlate_add(xl, "%u", fraginfo->ids[0]);
+ } else if (!(fraginfo->flags & XLATE_FLAGS)) {
+ xt_xlate_add(xl, "exthdr frag exists");
+ return 1;
}
/* ignore ineffective IP6T_FRAG_LEN bit */
diff --git a/extensions/libip6t_frag.t b/extensions/libip6t_frag.t
index 57f7da27d5e1d..ea7ac8995c27c 100644
--- a/extensions/libip6t_frag.t
+++ b/extensions/libip6t_frag.t
@@ -1,6 +1,6 @@
:INPUT,FORWARD,OUTPUT
-m frag --fragid :;-m frag;OK
--m frag ! --fragid :;-m frag;OK
+-m frag ! --fragid :;-m frag ! --fragid 0:4294967295;OK
-m frag --fragid :42;-m frag --fragid 0:42;OK
-m frag --fragid 42:;-m frag --fragid 42:4294967295;OK
-m frag --fragid 1:42;=;OK
diff --git a/extensions/libip6t_frag.txlate b/extensions/libip6t_frag.txlate
index 2b6585afbc826..e250587e7682c 100644
--- a/extensions/libip6t_frag.txlate
+++ b/extensions/libip6t_frag.txlate
@@ -17,7 +17,7 @@ ip6tables-translate -t filter -A INPUT -m frag --fraglast -j ACCEPT
nft 'add rule ip6 filter INPUT frag more-fragments 0 counter accept'
ip6tables-translate -t filter -A INPUT -m frag --fragid 0:4294967295
-nft 'add rule ip6 filter INPUT counter'
+nft 'add rule ip6 filter INPUT exthdr frag exists counter'
ip6tables-translate -t filter -A INPUT -m frag ! --fragid 0:4294967295
-nft 'add rule ip6 filter INPUT counter'
+nft 'add rule ip6 filter INPUT frag id != 0-4294967295 counter'
--
2.43.0
