[iptables PATCH 04/12] extensions: ah: Save/xlate inverted full ranges

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

While at it, fix xlate output for plain '-m ah' matches: With
ip6tables-translate, one should emit an extdhr exists match since
ip6t_ah.c in kernel also uses ipv6_find_hdr(). With iptables-translate,
a simple 'meta l4proto ah' was missing.

Fixes: bb498c8ba7bb3 ("extensions: libip6t_ah: Fix translation of plain '-m ah'")
Fixes: b9a46ee406165 ("extensions: libipt_ah: Add translation to nft")
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 extensions/libip6t_ah.c      | 22 +++++++++++++---------
 extensions/libip6t_ah.t      |  2 +-
 extensions/libip6t_ah.txlate |  4 ++--
 extensions/libipt_ah.c       | 22 ++++++++++++++--------
 extensions/libipt_ah.t       |  2 +-
 extensions/libipt_ah.txlate  |  4 ++--
 6 files changed, 33 insertions(+), 23 deletions(-)

diff --git a/extensions/libip6t_ah.c b/extensions/libip6t_ah.c
index f35982f379d76..0f95c4735eabd 100644
--- a/extensions/libip6t_ah.c
+++ b/extensions/libip6t_ah.c
@@ -58,13 +58,18 @@ static void ah_parse(struct xt_option_call *cb)
 	}
 }
 
+static bool skip_spi_match(uint32_t min, uint32_t max, bool inv)
+{
+	return min == 0 && max == UINT32_MAX && !inv;
+}
+
 static void
 print_spis(const char *name, uint32_t min, uint32_t max,
 	    int invert)
 {
 	const char *inv = invert ? "!" : "";
 
-	if (min != 0 || max != 0xFFFFFFFF || invert) {
+	if (!skip_spi_match(min, max, invert)) {
 		if (min == max)
 			printf("%s:%s%u", name, inv, min);
 		else
@@ -103,11 +108,10 @@ static void ah_print(const void *ip, const struct xt_entry_match *match,
 static void ah_save(const void *ip, const struct xt_entry_match *match)
 {
 	const struct ip6t_ah *ahinfo = (struct ip6t_ah *)match->data;
+	bool inv_spi = ahinfo->invflags & IP6T_AH_INV_SPI;
 
-	if (!(ahinfo->spis[0] == 0
-	    && ahinfo->spis[1] == 0xFFFFFFFF)) {
-		printf("%s --ahspi ",
-			(ahinfo->invflags & IP6T_AH_INV_SPI) ? " !" : "");
+	if (!skip_spi_match(ahinfo->spis[0], ahinfo->spis[1], inv_spi)) {
+		printf("%s --ahspi ", inv_spi ? " !" : "");
 		if (ahinfo->spis[0]
 		    != ahinfo->spis[1])
 			printf("%u:%u",
@@ -132,11 +136,11 @@ static int ah_xlate(struct xt_xlate *xl,
 		    const struct xt_xlate_mt_params *params)
 {
 	const struct ip6t_ah *ahinfo = (struct ip6t_ah *)params->match->data;
+	bool inv_spi = ahinfo->invflags & IP6T_AH_INV_SPI;
 	char *space = "";
 
-	if (!(ahinfo->spis[0] == 0 && ahinfo->spis[1] == 0xFFFFFFFF)) {
-		xt_xlate_add(xl, "ah spi%s ",
-			(ahinfo->invflags & IP6T_AH_INV_SPI) ? " !=" : "");
+	if (!skip_spi_match(ahinfo->spis[0], ahinfo->spis[1], inv_spi)) {
+		xt_xlate_add(xl, "ah spi%s ", inv_spi ? " !=" : "");
 		if (ahinfo->spis[0] != ahinfo->spis[1])
 			xt_xlate_add(xl, "%u-%u", ahinfo->spis[0],
 				     ahinfo->spis[1]);
@@ -158,7 +162,7 @@ static int ah_xlate(struct xt_xlate *xl,
 	}
 
 	if (!space[0]) /* plain '-m ah' */
-		xt_xlate_add(xl, "meta l4proto ah");
+		xt_xlate_add(xl, "exthdr ah exists");
 
 	return 1;
 }
diff --git a/extensions/libip6t_ah.t b/extensions/libip6t_ah.t
index eeba7b451fc6d..19aa6f55ec0e9 100644
--- a/extensions/libip6t_ah.t
+++ b/extensions/libip6t_ah.t
@@ -14,7 +14,7 @@
 -m ah --ahspi;;FAIL
 -m ah;=;OK
 -m ah --ahspi :;-m ah;OK
--m ah ! --ahspi :;-m ah;OK
+-m ah ! --ahspi :;-m ah ! --ahspi 0:4294967295;OK
 -m ah --ahspi :3;-m ah --ahspi 0:3;OK
 -m ah --ahspi 3:;-m ah --ahspi 3:4294967295;OK
 -m ah --ahspi 3:3;-m ah --ahspi 3;OK
diff --git a/extensions/libip6t_ah.txlate b/extensions/libip6t_ah.txlate
index fc7248abba001..32c6b7de00937 100644
--- a/extensions/libip6t_ah.txlate
+++ b/extensions/libip6t_ah.txlate
@@ -17,7 +17,7 @@ ip6tables-translate -A INPUT -m ah --ahspi 500 --ahlen 120 --ahres -j ACCEPT
 nft 'add rule ip6 filter INPUT ah spi 500 ah hdrlength 120 ah reserved 1 counter accept'
 
 ip6tables-translate -A INPUT -m ah --ahspi 0:4294967295
-nft 'add rule ip6 filter INPUT meta l4proto ah counter'
+nft 'add rule ip6 filter INPUT exthdr ah exists counter'
 
 ip6tables-translate -A INPUT -m ah ! --ahspi 0:4294967295
-nft 'add rule ip6 filter INPUT meta l4proto ah counter'
+nft 'add rule ip6 filter INPUT ah spi != 0-4294967295 counter'
diff --git a/extensions/libipt_ah.c b/extensions/libipt_ah.c
index fec5705ce6f53..39e3013d3e74b 100644
--- a/extensions/libipt_ah.c
+++ b/extensions/libipt_ah.c
@@ -39,13 +39,18 @@ static void ah_parse(struct xt_option_call *cb)
 		ahinfo->invflags |= IPT_AH_INV_SPI;
 }
 
+static bool skip_spi_match(uint32_t min, uint32_t max, bool inv)
+{
+	return min == 0 && max == UINT32_MAX && !inv;
+}
+
 static void
 print_spis(const char *name, uint32_t min, uint32_t max,
 	    int invert)
 {
 	const char *inv = invert ? "!" : "";
 
-	if (min != 0 || max != 0xFFFFFFFF || invert) {
+	if (!skip_spi_match(min, max, invert)) {
 		printf("%s", name);
 		if (min == max) {
 			printf(":%s", inv);
@@ -75,11 +80,10 @@ static void ah_print(const void *ip, const struct xt_entry_match *match,
 static void ah_save(const void *ip, const struct xt_entry_match *match)
 {
 	const struct ipt_ah *ahinfo = (struct ipt_ah *)match->data;
+	bool inv_spi = ahinfo->invflags & IPT_AH_INV_SPI;
 
-	if (!(ahinfo->spis[0] == 0
-	    && ahinfo->spis[1] == 0xFFFFFFFF)) {
-		printf("%s --ahspi ",
-			(ahinfo->invflags & IPT_AH_INV_SPI) ? " !" : "");
+	if (!skip_spi_match(ahinfo->spis[0], ahinfo->spis[1], inv_spi)) {
+		printf("%s --ahspi ", inv_spi ? " !" : "");
 		if (ahinfo->spis[0]
 		    != ahinfo->spis[1])
 			printf("%u:%u",
@@ -96,15 +100,17 @@ static int ah_xlate(struct xt_xlate *xl,
 		    const struct xt_xlate_mt_params *params)
 {
 	const struct ipt_ah *ahinfo = (struct ipt_ah *)params->match->data;
+	bool inv_spi = ahinfo->invflags & IPT_AH_INV_SPI;
 
-	if (!(ahinfo->spis[0] == 0 && ahinfo->spis[1] == 0xFFFFFFFF)) {
-		xt_xlate_add(xl, "ah spi%s ",
-			   (ahinfo->invflags & IPT_AH_INV_SPI) ? " !=" : "");
+	if (!skip_spi_match(ahinfo->spis[0], ahinfo->spis[1], inv_spi)) {
+		xt_xlate_add(xl, "ah spi%s ", inv_spi ? " !=" : "");
 		if (ahinfo->spis[0] != ahinfo->spis[1])
 			xt_xlate_add(xl, "%u-%u", ahinfo->spis[0],
 				   ahinfo->spis[1]);
 		else
 			xt_xlate_add(xl, "%u", ahinfo->spis[0]);
+	} else {
+		xt_xlate_add(xl, "meta l4proto ah");
 	}
 
 	return 1;
diff --git a/extensions/libipt_ah.t b/extensions/libipt_ah.t
index d86ede60970ac..6059366013ad7 100644
--- a/extensions/libipt_ah.t
+++ b/extensions/libipt_ah.t
@@ -12,7 +12,7 @@
 -m ah;;FAIL
 -p ah -m ah;=;OK
 -p ah -m ah --ahspi :;-p ah -m ah;OK
--p ah -m ah ! --ahspi :;-p ah -m ah;OK
+-p ah -m ah ! --ahspi :;-p ah -m ah ! --ahspi 0:4294967295;OK
 -p ah -m ah --ahspi :3;-p ah -m ah --ahspi 0:3;OK
 -p ah -m ah --ahspi 3:;-p ah -m ah --ahspi 3:4294967295;OK
 -p ah -m ah --ahspi 3:3;-p ah -m ah --ahspi 3;OK
diff --git a/extensions/libipt_ah.txlate b/extensions/libipt_ah.txlate
index e35ac17ab6c64..baf5a0ae6182a 100644
--- a/extensions/libipt_ah.txlate
+++ b/extensions/libipt_ah.txlate
@@ -8,7 +8,7 @@ iptables-translate -A INPUT -p 51 -m ah ! --ahspi 50 -j DROP
 nft 'add rule ip filter INPUT ah spi != 50 counter drop'
 
 iptables-translate -A INPUT -p 51 -m ah --ahspi 0:4294967295 -j DROP
-nft 'add rule ip filter INPUT counter drop'
+nft 'add rule ip filter INPUT meta l4proto ah counter drop'
 
 iptables-translate -A INPUT -p 51 -m ah ! --ahspi 0:4294967295 -j DROP
-nft 'add rule ip filter INPUT counter drop'
+nft 'add rule ip filter INPUT ah spi != 0-4294967295 counter drop'
-- 
2.43.0
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux