Align output of ip(6)tables-translate for --protocol arguments with that of ip(6)tables -L/-S by calling proto_to_name() from xshared.c. The latter will consult xtables_chain_protos list first to make sure (the right) names are used for "common" protocol values and otherwise falls back to getprotobynumber() which it replaces here. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1738 Signed-off-by: Phil Sutter <phil@xxxxxx> --- extensions/generic.txlate | 30 ++++++++++++++++++++++++++++++ iptables/nft-ipv4.c | 24 ++++++++++-------------- iptables/nft-ipv6.c | 25 ++++++++++--------------- iptables/xshared.c | 2 +- iptables/xshared.h | 2 ++ 5 files changed, 53 insertions(+), 30 deletions(-) diff --git a/extensions/generic.txlate b/extensions/generic.txlate index b79239f1a0637..9ad1266dc623c 100644 --- a/extensions/generic.txlate +++ b/extensions/generic.txlate @@ -64,6 +64,36 @@ nft 'insert rule ip6 filter INPUT counter' ip6tables-translate -I INPUT ! -s ::/0 nft 'insert rule ip6 filter INPUT ip6 saddr != ::/0 counter' +iptables-translate -A FORWARD -p 132 +nft 'add rule ip filter FORWARD ip protocol sctp counter' + +ip6tables-translate -A FORWARD -p 132 +nft 'add rule ip6 filter FORWARD meta l4proto sctp counter' + +iptables-translate -A FORWARD ! -p 132 +nft 'add rule ip filter FORWARD ip protocol != sctp counter' + +ip6tables-translate -A FORWARD ! -p 132 +nft 'add rule ip6 filter FORWARD meta l4proto != sctp counter' + +iptables-translate -A FORWARD -p 141 +nft 'add rule ip filter FORWARD ip protocol 141 counter' + +ip6tables-translate -A FORWARD -p 141 +nft 'add rule ip6 filter FORWARD meta l4proto 141 counter' + +iptables-translate -A FORWARD ! -p 141 +nft 'add rule ip filter FORWARD ip protocol != 141 counter' + +ip6tables-translate -A FORWARD ! -p 141 +nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter' + +iptables-translate -A FORWARD -m tcp --dport 22 -p tcp +nft 'add rule ip filter FORWARD tcp dport 22 counter' + +ip6tables-translate -A FORWARD -m tcp --dport 22 -p tcp +nft 'add rule ip6 filter FORWARD tcp dport 22 counter' + ebtables-translate -I INPUT -i iname --logical-in ilogname -s 0:0:0:0:0:0 nft 'insert rule bridge filter INPUT iifname "iname" meta ibrname "ilogname" ether saddr 00:00:00:00:00:00 counter' diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 979880a3e7702..0ce8477f76c2a 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -214,20 +214,16 @@ static int nft_ipv4_xlate(const struct iptables_command_state *cs, } if (cs->fw.ip.proto != 0) { - const struct protoent *pent = - getprotobynumber(cs->fw.ip.proto); - char protonum[sizeof("65535")]; - const char *name = protonum; - - snprintf(protonum, sizeof(protonum), "%u", - cs->fw.ip.proto); - - if (!pent || !xlate_find_match(cs, pent->p_name)) { - if (pent) - name = pent->p_name; - xt_xlate_add(xl, "ip protocol %s%s ", - cs->fw.ip.invflags & IPT_INV_PROTO ? - "!= " : "", name); + const char *pname = proto_to_name(cs->fw.ip.proto, 0); + + if (!pname || !xlate_find_match(cs, pname)) { + xt_xlate_add(xl, "ip protocol"); + if (cs->fw.ip.invflags & IPT_INV_PROTO) + xt_xlate_add(xl, " !="); + if (pname) + xt_xlate_add(xl, "%s", pname); + else + xt_xlate_add(xl, "%hu", cs->fw.ip.proto); } } diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index e4b1714d00c2f..c371ba8c938c7 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -193,22 +193,17 @@ static int nft_ipv6_xlate(const struct iptables_command_state *cs, cs->fw6.ipv6.invflags & IP6T_INV_VIA_OUT); if (cs->fw6.ipv6.proto != 0) { - const struct protoent *pent = - getprotobynumber(cs->fw6.ipv6.proto); - char protonum[sizeof("65535")]; - const char *name = protonum; - - snprintf(protonum, sizeof(protonum), "%u", - cs->fw6.ipv6.proto); - - if (!pent || !xlate_find_match(cs, pent->p_name)) { - if (pent) - name = pent->p_name; - xt_xlate_add(xl, "meta l4proto %s%s ", - cs->fw6.ipv6.invflags & IP6T_INV_PROTO ? - "!= " : "", name); + const char *pname = proto_to_name(cs->fw6.ipv6.proto, 0); + + if (!pname || !xlate_find_match(cs, pname)) { + xt_xlate_add(xl, "meta l4proto"); + if (cs->fw6.ipv6.invflags & IP6T_INV_PROTO) + xt_xlate_add(xl, " !="); + if (pname) + xt_xlate_add(xl, "%s", pname); + else + xt_xlate_add(xl, "%hu", cs->fw6.ipv6.proto); } - } xlate_ipv6_addr("ip6 saddr", &cs->fw6.ipv6.src, &cs->fw6.ipv6.smsk, diff --git a/iptables/xshared.c b/iptables/xshared.c index bff7d60ce1390..b998dd75aaf05 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -62,7 +62,7 @@ static void print_extension_helps(const struct xtables_target *t, } } -static const char * +const char * proto_to_name(uint16_t proto, int nolookup) { unsigned int i; diff --git a/iptables/xshared.h b/iptables/xshared.h index 7d4035ec03e52..26c492ebee9ec 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -335,4 +335,6 @@ void iface_to_mask(const char *ifname, unsigned char *mask); void xtables_clear_args(struct xtables_args *args); +const char *proto_to_name(uint16_t proto, int nolookup); + #endif /* IPTABLES_XSHARED_H */ -- 2.43.0
