v2: document the match semantics of -m socket.
Ignore --nowildcard if used with other options when translating
and add "wildcard 0" if the option is missing.
"-m socket" will ignore sockets bound to 0.0.0.0/:: by default,
unless --nowildcard is given.
So, xlate must always append "wildcard 0", can elide "wildcard"
if other options are present along with --nowildcard.
To emulate "-m socket --nowildcard", check for "wildcard <= 1" to
get a "socket exists" type matching.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
extensions/libxt_socket.c | 39 ++++++++++++++++++++++++++++++++++
extensions/libxt_socket.txlate | 17 +++++++++++++++
2 files changed, 56 insertions(+)
create mode 100644 extensions/libxt_socket.txlate
diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c
index a99135cdfa0a..016ea3435339 100644
--- a/extensions/libxt_socket.c
+++ b/extensions/libxt_socket.c
@@ -159,6 +159,42 @@ socket_mt_print_v3(const void *ip, const struct xt_entry_match *match,
socket_mt_save_v3(ip, match);
}
+static int socket_mt_xlate(struct xt_xlate *xl, const struct xt_xlate_mt_params *params)
+{
+ const struct xt_socket_mtinfo3 *info = (const void *)params->match->data;
+ const char *space = "";
+
+ /* ONLY --nowildcard: match if socket exists. It does not matter
+ * to which address it is bound.
+ */
+ if (info->flags == XT_SOCKET_NOWILDCARD) {
+ xt_xlate_add(xl, "%ssocket wildcard le 1", space);
+ return 1;
+ }
+
+ /* Without --nowildcard, restrict to sockets NOT bound to
+ * the any address.
+ */
+ if ((info->flags & XT_SOCKET_NOWILDCARD) == 0) {
+ xt_xlate_add(xl, "socket wildcard 0");
+ space = " ";
+ }
+
+ if (info->flags & XT_SOCKET_TRANSPARENT) {
+ xt_xlate_add(xl, "%ssocket transparent 1", space);
+ space = " ";
+ }
+
+ /* If --nowildcard was given, -m socket should not test
+ * the bound address. We can simply ignore this; its
+ * equal to "wildcard <= 1".
+ */
+ if (info->flags & XT_SOCKET_RESTORESKMARK)
+ xt_xlate_add(xl, "%smeta mark set socket mark", space);
+
+ return 1;
+}
+
static struct xtables_match socket_mt_reg[] = {
{
.name = "socket",
@@ -180,6 +216,7 @@ static struct xtables_match socket_mt_reg[] = {
.save = socket_mt_save,
.x6_parse = socket_mt_parse,
.x6_options = socket_mt_opts,
+ .xlate = socket_mt_xlate,
},
{
.name = "socket",
@@ -193,6 +230,7 @@ static struct xtables_match socket_mt_reg[] = {
.save = socket_mt_save_v2,
.x6_parse = socket_mt_parse_v2,
.x6_options = socket_mt_opts_v2,
+ .xlate = socket_mt_xlate,
},
{
.name = "socket",
@@ -206,6 +244,7 @@ static struct xtables_match socket_mt_reg[] = {
.save = socket_mt_save_v3,
.x6_parse = socket_mt_parse_v3,
.x6_options = socket_mt_opts_v3,
+ .xlate = socket_mt_xlate,
},
};
diff --git a/extensions/libxt_socket.txlate b/extensions/libxt_socket.txlate
new file mode 100644
index 000000000000..7731e42eabf7
--- /dev/null
+++ b/extensions/libxt_socket.txlate
@@ -0,0 +1,17 @@
+# old socket match, no options. Matches if sk can be found and it is not bound to 0.0.0.0/::
+iptables-translate -A INPUT -m socket
+nft 'add rule ip filter INPUT socket wildcard 0 counter'
+
+iptables-translate -A INPUT -m socket --transparent
+nft 'add rule ip filter INPUT socket wildcard 0 socket transparent 1 counter'
+
+# Matches if sk can be found. Doesn't matter as to what addess it is bound to.
+# therefore, emulate "exists".
+iptables-translate -A INPUT -m socket --nowildcard
+nft 'add rule ip filter INPUT socket wildcard le 1 counter'
+
+iptables-translate -A INPUT -m socket --restore-skmark
+nft 'add rule ip filter INPUT socket wildcard 0 meta mark set socket mark counter'
+
+iptables-translate -A INPUT -m socket --transparent --nowildcard --restore-skmark
+nft 'add rule ip filter INPUT socket transparent 1 meta mark set socket mark counter'
--
2.44.0
