From 494eae37f2690be4a86fd6516264979afbfe95ca Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Wed, 6 Mar 2024 11:11:25 +0100 Subject: extensions: xt_socket: add txlate support for socket match v2: document the match semantics of -m socket. Ignore --nowildcard if used with other options when translating and add "wildcard 0" if the option is missing. "-m socket" will ignore sockets bound to 0.0.0.0/:: by default, unless --nowildcard is given. So, xlate must always append "wildcard 0", can elide "wildcard" if other options are present along with --nowildcard. To emulate "-m socket --nowildcard", check for "wildcard <= 1" to get a "socket exists" type matching. Signed-off-by: Florian Westphal Acked-by: Phil Sutter --- extensions/libxt_socket.c | 34 ++++++++++++++++++++++++++++++++++ extensions/libxt_socket.txlate | 17 +++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 extensions/libxt_socket.txlate (limited to 'extensions') diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c index a99135cd..2dcfa221 100644 --- a/extensions/libxt_socket.c +++ b/extensions/libxt_socket.c @@ -159,6 +159,37 @@ socket_mt_print_v3(const void *ip, const struct xt_entry_match *match, socket_mt_save_v3(ip, match); } +static int socket_mt_xlate(struct xt_xlate *xl, const struct xt_xlate_mt_params *params) +{ + const struct xt_socket_mtinfo3 *info = (const void *)params->match->data; + + /* ONLY --nowildcard: match if socket exists. It does not matter + * to which address it is bound. + */ + if (info->flags == XT_SOCKET_NOWILDCARD) { + xt_xlate_add(xl, "socket wildcard le 1"); + return 1; + } + + /* Without --nowildcard, restrict to sockets NOT bound to + * the any address. + */ + if ((info->flags & XT_SOCKET_NOWILDCARD) == 0) + xt_xlate_add(xl, "socket wildcard 0"); + + if (info->flags & XT_SOCKET_TRANSPARENT) + xt_xlate_add(xl, "socket transparent 1"); + + /* If --nowildcard was given, -m socket should not test + * the bound address. We can simply ignore this; its + * equal to "wildcard <= 1". + */ + if (info->flags & XT_SOCKET_RESTORESKMARK) + xt_xlate_add(xl, "meta mark set socket mark"); + + return 1; +} + static struct xtables_match socket_mt_reg[] = { { .name = "socket", @@ -180,6 +211,7 @@ static struct xtables_match socket_mt_reg[] = { .save = socket_mt_save, .x6_parse = socket_mt_parse, .x6_options = socket_mt_opts, + .xlate = socket_mt_xlate, }, { .name = "socket", @@ -193,6 +225,7 @@ static struct xtables_match socket_mt_reg[] = { .save = socket_mt_save_v2, .x6_parse = socket_mt_parse_v2, .x6_options = socket_mt_opts_v2, + .xlate = socket_mt_xlate, }, { .name = "socket", @@ -206,6 +239,7 @@ static struct xtables_match socket_mt_reg[] = { .save = socket_mt_save_v3, .x6_parse = socket_mt_parse_v3, .x6_options = socket_mt_opts_v3, + .xlate = socket_mt_xlate, }, }; diff --git a/extensions/libxt_socket.txlate b/extensions/libxt_socket.txlate new file mode 100644 index 00000000..7731e42e --- /dev/null +++ b/extensions/libxt_socket.txlate @@ -0,0 +1,17 @@ +# old socket match, no options. Matches if sk can be found and it is not bound to 0.0.0.0/:: +iptables-translate -A INPUT -m socket +nft 'add rule ip filter INPUT socket wildcard 0 counter' + +iptables-translate -A INPUT -m socket --transparent +nft 'add rule ip filter INPUT socket wildcard 0 socket transparent 1 counter' + +# Matches if sk can be found. Doesn't matter as to what addess it is bound to. +# therefore, emulate "exists". +iptables-translate -A INPUT -m socket --nowildcard +nft 'add rule ip filter INPUT socket wildcard le 1 counter' + +iptables-translate -A INPUT -m socket --restore-skmark +nft 'add rule ip filter INPUT socket wildcard 0 meta mark set socket mark counter' + +iptables-translate -A INPUT -m socket --transparent --nowildcard --restore-skmark +nft 'add rule ip filter INPUT socket transparent 1 meta mark set socket mark counter' -- cgit v1.2.3