[iptables PATCH 08/12] extensions: esp: Save/xlate inverted full ranges

Phil Sutter <phil@xxxxxx> · Fri, 2 Feb 2024 14:53:03 +0100

Also add a translation for plain '-m esp' match which depends on the
address family: While ip6tables-translate may emit an exthdr exists
match, iptables-translate must stick to meta l4proto.

Fixes: 6cfa723a83d45 ("extensions: libxt_esp: Add translation to nft")
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 extensions/libxt_esp.c      | 26 ++++++++++++++++++--------
 extensions/libxt_esp.t      |  2 +-
 extensions/libxt_esp.txlate |  8 ++++----
 3 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/extensions/libxt_esp.c b/extensions/libxt_esp.c
index 2c7ff942cb9e0..8e9766d71ed57 100644
--- a/extensions/libxt_esp.c
+++ b/extensions/libxt_esp.c
@@ -39,13 +39,18 @@ static void esp_parse(struct xt_option_call *cb)
 		espinfo->invflags |= XT_ESP_INV_SPI;
 }
 
+static bool skip_spis_match(uint32_t min, uint32_t max, bool inv)
+{
+	return min == 0 && max == UINT32_MAX && !inv;
+}
+
 static void
 print_spis(const char *name, uint32_t min, uint32_t max,
 	    int invert)
 {
 	const char *inv = invert ? "!" : "";
 
-	if (min != 0 || max != 0xFFFFFFFF || invert) {
+	if (!skip_spis_match(min, max, invert)) {
 		if (min == max)
 			printf(" %s:%s%u", name, inv, min);
 		else
@@ -69,11 +74,10 @@ esp_print(const void *ip, const struct xt_entry_match *match, int numeric)
 static void esp_save(const void *ip, const struct xt_entry_match *match)
 {
 	const struct xt_esp *espinfo = (struct xt_esp *)match->data;
+	bool inv_spi = espinfo->invflags & XT_ESP_INV_SPI;
 
-	if (!(espinfo->spis[0] == 0
-	    && espinfo->spis[1] == 0xFFFFFFFF)) {
-		printf("%s --espspi ",
-			(espinfo->invflags & XT_ESP_INV_SPI) ? " !" : "");
+	if (!skip_spis_match(espinfo->spis[0], espinfo->spis[1], inv_spi)) {
+		printf("%s --espspi ", inv_spi ? " !" : "");
 		if (espinfo->spis[0]
 		    != espinfo->spis[1])
 			printf("%u:%u",
@@ -90,15 +94,21 @@ static int esp_xlate(struct xt_xlate *xl,
 		     const struct xt_xlate_mt_params *params)
 {
 	const struct xt_esp *espinfo = (struct xt_esp *)params->match->data;
+	bool inv_spi = espinfo->invflags & XT_ESP_INV_SPI;
 
-	if (!(espinfo->spis[0] == 0 && espinfo->spis[1] == 0xFFFFFFFF)) {
-		xt_xlate_add(xl, "esp spi%s",
-			   (espinfo->invflags & XT_ESP_INV_SPI) ? " !=" : "");
+	if (!skip_spis_match(espinfo->spis[0], espinfo->spis[1], inv_spi)) {
+		xt_xlate_add(xl, "esp spi%s", inv_spi ? " !=" : "");
 		if (espinfo->spis[0] != espinfo->spis[1])
 			xt_xlate_add(xl, " %u-%u", espinfo->spis[0],
 				   espinfo->spis[1]);
 		else
 			xt_xlate_add(xl, " %u", espinfo->spis[0]);
+	} else if (afinfo->family == NFPROTO_IPV4) {
+		xt_xlate_add(xl, "meta l4proto esp");
+	} else if (afinfo->family == NFPROTO_IPV6) {
+		xt_xlate_add(xl, "exthdr esp exists");
+	} else {
+		return 0;
 	}
 
 	return 1;
diff --git a/extensions/libxt_esp.t b/extensions/libxt_esp.t
index 686611f22b457..ece131c934b90 100644
--- a/extensions/libxt_esp.t
+++ b/extensions/libxt_esp.t
@@ -5,7 +5,7 @@
 -p esp -m esp ! --espspi 0:4294967294;=;OK
 -p esp -m esp --espspi -1;;FAIL
 -p esp -m esp --espspi :;-p esp -m esp;OK
--p esp -m esp ! --espspi :;-p esp -m esp;OK
+-p esp -m esp ! --espspi :;-p esp -m esp ! --espspi 0:4294967295;OK
 -p esp -m esp --espspi :4;-p esp -m esp --espspi 0:4;OK
 -p esp -m esp --espspi 4:;-p esp -m esp --espspi 4:4294967295;OK
 -p esp -m esp --espspi 3:4;=;OK
diff --git a/extensions/libxt_esp.txlate b/extensions/libxt_esp.txlate
index 3b1d5718057b1..5e8fb241beaf4 100644
--- a/extensions/libxt_esp.txlate
+++ b/extensions/libxt_esp.txlate
@@ -11,13 +11,13 @@ iptables-translate -A INPUT -p 50 -m esp --espspi 500:600 -j DROP
 nft 'add rule ip filter INPUT esp spi 500-600 counter drop'
 
 iptables-translate -A INPUT -p 50 -m esp --espspi 0:4294967295 -j DROP
-nft 'add rule ip filter INPUT counter drop'
+nft 'add rule ip filter INPUT meta l4proto esp counter drop'
 
 iptables-translate -A INPUT -p 50 -m esp ! --espspi 0:4294967295 -j DROP
-nft 'add rule ip filter INPUT counter drop'
+nft 'add rule ip filter INPUT esp spi != 0-4294967295 counter drop'
 
 ip6tables-translate -A INPUT -p 50 -m esp --espspi 0:4294967295 -j DROP
-nft 'add rule ip6 filter INPUT counter drop'
+nft 'add rule ip6 filter INPUT exthdr esp exists counter drop'
 
 ip6tables-translate -A INPUT -p 50 -m esp ! --espspi 0:4294967295 -j DROP
-nft 'add rule ip6 filter INPUT counter drop'
+nft 'add rule ip6 filter INPUT esp spi != 0-4294967295 counter drop'
-- 
2.43.0








