diff options
Diffstat (limited to 'extensions')
-rw-r--r-- | extensions/libxt_dccp.c | 58 | ||||
-rw-r--r-- | extensions/libxt_dccp.txlate | 12 |
2 files changed, 45 insertions, 25 deletions
diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c index 5e67c264..aea3e20b 100644 --- a/extensions/libxt_dccp.c +++ b/extensions/libxt_dccp.c @@ -76,6 +76,9 @@ static const char *const dccp_pkt_types[] = { [DCCP_PKT_INVALID] = "INVALID", }; +/* Bits for type values 11-15 */ +#define INVALID_OTHER_TYPE_MASK 0xf800 + static uint16_t parse_dccp_types(const char *typestring) { @@ -95,6 +98,9 @@ parse_dccp_types(const char *typestring) xtables_error(PARAMETER_PROBLEM, "Unknown DCCP type `%s'", ptr); } + if (typemask & (1 << DCCP_PKT_INVALID)) + typemask |= INVALID_OTHER_TYPE_MASK; + free(buffer); return typemask; @@ -193,9 +199,13 @@ print_types(uint16_t types, int inverted, int numeric) if (numeric) printf("%u", i); - else + else { printf("%s", dccp_pkt_types[i]); + if (i == DCCP_PKT_INVALID) + break; + } + types &= ~(1 << i); } } @@ -288,6 +298,7 @@ static const char *const dccp_pkt_types_xlate[] = { [DCCP_PKT_RESET] = "reset", [DCCP_PKT_SYNC] = "sync", [DCCP_PKT_SYNCACK] = "syncack", + [DCCP_PKT_INVALID] = "10-15", }; static int dccp_type_xlate(const struct xt_dccp_info *einfo, @@ -296,10 +307,10 @@ static int dccp_type_xlate(const struct xt_dccp_info *einfo, bool have_type = false, set_need = false; uint16_t types = einfo->typemask; - if (types & (1 << DCCP_PKT_INVALID)) - return 0; - - xt_xlate_add(xl, " dccp type%s ", einfo->invflags ? " !=" : ""); + if (types & INVALID_OTHER_TYPE_MASK) { + types &= ~INVALID_OTHER_TYPE_MASK; + types |= 1 << DCCP_PKT_INVALID; + } if ((types != 0) && !(types == (types & -types))) { xt_xlate_add(xl, "{"); @@ -335,34 +346,37 @@ static int dccp_xlate(struct xt_xlate *xl, char *space = ""; int ret = 1; - xt_xlate_add(xl, "dccp "); - if (einfo->flags & XT_DCCP_SRC_PORTS) { + xt_xlate_add(xl, "dccp sport%s %u", + einfo->invflags & XT_DCCP_SRC_PORTS ? " !=" : "", + einfo->spts[0]); + if (einfo->spts[0] != einfo->spts[1]) - xt_xlate_add(xl, "sport%s %u-%u", - einfo->invflags & XT_DCCP_SRC_PORTS ? " !=" : "", - einfo->spts[0], einfo->spts[1]); - else - xt_xlate_add(xl, "sport%s %u", - einfo->invflags & XT_DCCP_SRC_PORTS ? " !=" : "", - einfo->spts[0]); + xt_xlate_add(xl, "-%u", einfo->spts[1]); + space = " "; } if (einfo->flags & XT_DCCP_DEST_PORTS) { + xt_xlate_add(xl, "%sdccp dport%s %u", space, + einfo->invflags & XT_DCCP_DEST_PORTS ? " !=" : "", + einfo->dpts[0]); + if (einfo->dpts[0] != einfo->dpts[1]) - xt_xlate_add(xl, "%sdport%s %u-%u", space, - einfo->invflags & XT_DCCP_DEST_PORTS ? " !=" : "", - einfo->dpts[0], einfo->dpts[1]); - else - xt_xlate_add(xl, "%sdport%s %u", space, - einfo->invflags & XT_DCCP_DEST_PORTS ? " !=" : "", - einfo->dpts[0]); + xt_xlate_add(xl, "-%u", einfo->dpts[1]); + + space = " "; } - if (einfo->flags & XT_DCCP_TYPE) + if (einfo->flags & XT_DCCP_TYPE && einfo->typemask) { + xt_xlate_add(xl, "%sdccp type%s ", space, + einfo->invflags & XT_DCCP_TYPE ? " !=" : ""); ret = dccp_type_xlate(einfo, xl); + space = " "; + } + + /* FIXME: no dccp option support in nftables yet */ if (einfo->flags & XT_DCCP_OPTION) ret = 0; diff --git a/extensions/libxt_dccp.txlate b/extensions/libxt_dccp.txlate index b47dc65f..ea853f6a 100644 --- a/extensions/libxt_dccp.txlate +++ b/extensions/libxt_dccp.txlate @@ -7,8 +7,14 @@ nft add rule ip filter INPUT dccp dport 100-200 counter iptables-translate -A INPUT -p dccp -m dccp ! --dport 100 nft add rule ip filter INPUT dccp dport != 100 counter -iptables-translate -A INPUT -p dccp -m dccp --dport 100 --dccp-types REQUEST,RESPONSE,DATA,ACK,DATAACK,CLOSEREQ,CLOSE,SYNC,SYNCACK -nft add rule ip filter INPUT dccp dport 100 dccp type {request, response, data, ack, dataack, closereq, close, sync, syncack} counter +iptables-translate -A INPUT -p dccp -m dccp --dccp-types CLOSE +nft add rule ip filter INPUT dccp type close counter + +iptables-translate -A INPUT -p dccp -m dccp --dccp-types INVALID +nft add rule ip filter INPUT dccp type 10-15 counter + +iptables-translate -A INPUT -p dccp -m dccp --dport 100 --dccp-types REQUEST,RESPONSE,DATA,ACK,DATAACK,CLOSEREQ,CLOSE,SYNC,SYNCACK,INVALID +nft add rule ip filter INPUT dccp dport 100 dccp type {request, response, data, ack, dataack, closereq, close, sync, syncack, 10-15} counter iptables-translate -A INPUT -p dccp -m dccp --sport 200 --dport 100 -nft add rule ip filter INPUT dccp sport 200 dport 100 counter +nft add rule ip filter INPUT dccp sport 200 dccp dport 100 counter |