From 83f60fb37d594d1984a4e8a197d8f99eb8b2db30 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Thu, 1 Feb 2024 15:42:10 +0100 Subject: extensions: mh: Save/xlate inverted full ranges Also translate '-m mh' into an exthdr exists match unless '-p mh' is also present. The latter is converted into 'meta l4proto mh' which might need fixing itself at a later point. Fixes: 6d4b93485055a ("extensions: libip6t_mh: Add translation to nft") Signed-off-by: Phil Sutter --- extensions/libip6t_mh.c | 20 ++++++++++++++++---- extensions/libip6t_mh.t | 2 +- extensions/libip6t_mh.txlate | 4 ++-- 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c index 1410d324..3f80e28e 100644 --- a/extensions/libip6t_mh.c +++ b/extensions/libip6t_mh.c @@ -17,6 +17,7 @@ #include #include #include +#include enum { O_MH_TYPE = 0, @@ -154,11 +155,16 @@ static void print_type(uint8_t type, int numeric) printf("%s", name); } +static bool skip_types_match(uint8_t min, uint8_t max, bool inv) +{ + return min == 0 && max == UINT8_MAX && !inv; +} + static void print_types(uint8_t min, uint8_t max, int invert, int numeric) { const char *inv = invert ? "!" : ""; - if (min != 0 || max != 0xFF || invert) { + if (!skip_types_match(min, max, invert)) { printf(" "); if (min == max) { printf("%s", inv); @@ -189,11 +195,12 @@ static void mh_print(const void *ip, const struct xt_entry_match *match, static void mh_save(const void *ip, const struct xt_entry_match *match) { const struct ip6t_mh *mhinfo = (struct ip6t_mh *)match->data; + bool inv_type = mhinfo->invflags & IP6T_MH_INV_TYPE; - if (mhinfo->types[0] == 0 && mhinfo->types[1] == 0xFF) + if (skip_types_match(mhinfo->types[0], mhinfo->types[1], inv_type)) return; - if (mhinfo->invflags & IP6T_MH_INV_TYPE) + if (inv_type) printf(" !"); if (mhinfo->types[0] != mhinfo->types[1]) @@ -206,9 +213,14 @@ static int mh_xlate(struct xt_xlate *xl, const struct xt_xlate_mt_params *params) { const struct ip6t_mh *mhinfo = (struct ip6t_mh *)params->match->data; + bool inv_type = mhinfo->invflags & IP6T_MH_INV_TYPE; + uint8_t proto = ((const struct ip6t_ip6 *)params->ip)->proto; - if (mhinfo->types[0] == 0 && mhinfo->types[1] == 0xff) + if (skip_types_match(mhinfo->types[0], mhinfo->types[1], inv_type)) { + if (proto != IPPROTO_MH) + xt_xlate_add(xl, "exthdr mh exists"); return 1; + } if (mhinfo->types[0] != mhinfo->types[1]) xt_xlate_add(xl, "mh type %s%u-%u", diff --git a/extensions/libip6t_mh.t b/extensions/libip6t_mh.t index 151eabe6..b628e9e3 100644 --- a/extensions/libip6t_mh.t +++ b/extensions/libip6t_mh.t @@ -5,7 +5,7 @@ -p mobility-header -m mh ! --mh-type 4;=;OK -p mobility-header -m mh --mh-type 4:123;=;OK -p mobility-header -m mh --mh-type :;-p mobility-header -m mh;OK --p mobility-header -m mh ! --mh-type :;-p mobility-header -m mh;OK +-p mobility-header -m mh ! --mh-type :;-p mobility-header -m mh ! --mh-type 0:255;OK -p mobility-header -m mh --mh-type :3;-p mobility-header -m mh --mh-type 0:3;OK -p mobility-header -m mh --mh-type 3:;-p mobility-header -m mh --mh-type 3:255;OK -p mobility-header -m mh --mh-type 3:3;-p mobility-header -m mh --mh-type 3;OK diff --git a/extensions/libip6t_mh.txlate b/extensions/libip6t_mh.txlate index 825c9569..3364ce57 100644 --- a/extensions/libip6t_mh.txlate +++ b/extensions/libip6t_mh.txlate @@ -8,7 +8,7 @@ ip6tables-translate -A INPUT -p mh --mh-type 0:255 -j ACCEPT nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept' ip6tables-translate -A INPUT -m mh --mh-type 0:255 -j ACCEPT -nft 'add rule ip6 filter INPUT counter accept' +nft 'add rule ip6 filter INPUT exthdr mh exists counter accept' ip6tables-translate -A INPUT -p mh ! --mh-type 0:255 -j ACCEPT -nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept' +nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type != 0-255 counter accept' -- cgit v1.2.3