diff options
author | Phil Sutter <phil@nwl.cc> | 2024-02-01 15:47:09 +0100 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2024-02-02 18:26:14 +0100 |
commit | da13460f05eaee3b92c3b6d0ca2023c5377f4aca (patch) | |
tree | ea4313678cd6fe7de8d20ca08196e265741027aa | |
parent | a0e5dad34a6410e4960feb621780c4b06f374477 (diff) |
extensions: esp: Save/xlate inverted full ranges
Also add a translation for plain '-m esp' match which depends on the
address family: While ip6tables-translate may emit an exthdr exists
match, iptables-translate must stick to meta l4proto.
Fixes: 6cfa723a83d45 ("extensions: libxt_esp: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
-rw-r--r-- | extensions/libxt_esp.c | 26 | ||||
-rw-r--r-- | extensions/libxt_esp.t | 2 | ||||
-rw-r--r-- | extensions/libxt_esp.txlate | 8 |
3 files changed, 23 insertions, 13 deletions
diff --git a/extensions/libxt_esp.c b/extensions/libxt_esp.c index 2c7ff942..8e9766d7 100644 --- a/extensions/libxt_esp.c +++ b/extensions/libxt_esp.c @@ -39,13 +39,18 @@ static void esp_parse(struct xt_option_call *cb) espinfo->invflags |= XT_ESP_INV_SPI; } +static bool skip_spis_match(uint32_t min, uint32_t max, bool inv) +{ + return min == 0 && max == UINT32_MAX && !inv; +} + static void print_spis(const char *name, uint32_t min, uint32_t max, int invert) { const char *inv = invert ? "!" : ""; - if (min != 0 || max != 0xFFFFFFFF || invert) { + if (!skip_spis_match(min, max, invert)) { if (min == max) printf(" %s:%s%u", name, inv, min); else @@ -69,11 +74,10 @@ esp_print(const void *ip, const struct xt_entry_match *match, int numeric) static void esp_save(const void *ip, const struct xt_entry_match *match) { const struct xt_esp *espinfo = (struct xt_esp *)match->data; + bool inv_spi = espinfo->invflags & XT_ESP_INV_SPI; - if (!(espinfo->spis[0] == 0 - && espinfo->spis[1] == 0xFFFFFFFF)) { - printf("%s --espspi ", - (espinfo->invflags & XT_ESP_INV_SPI) ? " !" : ""); + if (!skip_spis_match(espinfo->spis[0], espinfo->spis[1], inv_spi)) { + printf("%s --espspi ", inv_spi ? " !" : ""); if (espinfo->spis[0] != espinfo->spis[1]) printf("%u:%u", @@ -90,15 +94,21 @@ static int esp_xlate(struct xt_xlate *xl, const struct xt_xlate_mt_params *params) { const struct xt_esp *espinfo = (struct xt_esp *)params->match->data; + bool inv_spi = espinfo->invflags & XT_ESP_INV_SPI; - if (!(espinfo->spis[0] == 0 && espinfo->spis[1] == 0xFFFFFFFF)) { - xt_xlate_add(xl, "esp spi%s", - (espinfo->invflags & XT_ESP_INV_SPI) ? " !=" : ""); + if (!skip_spis_match(espinfo->spis[0], espinfo->spis[1], inv_spi)) { + xt_xlate_add(xl, "esp spi%s", inv_spi ? " !=" : ""); if (espinfo->spis[0] != espinfo->spis[1]) xt_xlate_add(xl, " %u-%u", espinfo->spis[0], espinfo->spis[1]); else xt_xlate_add(xl, " %u", espinfo->spis[0]); + } else if (afinfo->family == NFPROTO_IPV4) { + xt_xlate_add(xl, "meta l4proto esp"); + } else if (afinfo->family == NFPROTO_IPV6) { + xt_xlate_add(xl, "exthdr esp exists"); + } else { + return 0; } return 1; diff --git a/extensions/libxt_esp.t b/extensions/libxt_esp.t index 686611f2..ece131c9 100644 --- a/extensions/libxt_esp.t +++ b/extensions/libxt_esp.t @@ -5,7 +5,7 @@ -p esp -m esp ! --espspi 0:4294967294;=;OK -p esp -m esp --espspi -1;;FAIL -p esp -m esp --espspi :;-p esp -m esp;OK --p esp -m esp ! --espspi :;-p esp -m esp;OK +-p esp -m esp ! --espspi :;-p esp -m esp ! --espspi 0:4294967295;OK -p esp -m esp --espspi :4;-p esp -m esp --espspi 0:4;OK -p esp -m esp --espspi 4:;-p esp -m esp --espspi 4:4294967295;OK -p esp -m esp --espspi 3:4;=;OK diff --git a/extensions/libxt_esp.txlate b/extensions/libxt_esp.txlate index 3b1d5718..5e8fb241 100644 --- a/extensions/libxt_esp.txlate +++ b/extensions/libxt_esp.txlate @@ -11,13 +11,13 @@ iptables-translate -A INPUT -p 50 -m esp --espspi 500:600 -j DROP nft 'add rule ip filter INPUT esp spi 500-600 counter drop' iptables-translate -A INPUT -p 50 -m esp --espspi 0:4294967295 -j DROP -nft 'add rule ip filter INPUT counter drop' +nft 'add rule ip filter INPUT meta l4proto esp counter drop' iptables-translate -A INPUT -p 50 -m esp ! --espspi 0:4294967295 -j DROP -nft 'add rule ip filter INPUT counter drop' +nft 'add rule ip filter INPUT esp spi != 0-4294967295 counter drop' ip6tables-translate -A INPUT -p 50 -m esp --espspi 0:4294967295 -j DROP -nft 'add rule ip6 filter INPUT counter drop' +nft 'add rule ip6 filter INPUT exthdr esp exists counter drop' ip6tables-translate -A INPUT -p 50 -m esp ! --espspi 0:4294967295 -j DROP -nft 'add rule ip6 filter INPUT counter drop' +nft 'add rule ip6 filter INPUT esp spi != 0-4294967295 counter drop' |