From b65a70131d0d38844be12235270eebaa9d2f5a4d Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 12 Jul 2016 22:04:17 +0200 Subject: src: add xt compat support At compilation time, you have to pass this option. # ./configure --with-xtables And libxtables needs to be installed in your system. This patch allows to list a ruleset containing xt extensions loaded through iptables-compat-restore tool. Example: $ iptables-save > ruleset $ cat ruleset *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p tcp -m multiport --dports 80,81 -j REJECT COMMIT $ sudo iptables-compat-restore ruleset $ sudo nft list rulseset table ip filter { chain INPUT { type filter hook input priority 0; policy accept; ip protocol tcp tcp dport { 80,81} counter packets 0 bytes 0 reject } chain FORWARD { type filter hook forward priority 0; policy drop; } chain OUTPUT { type filter hook output priority 0; policy accept; } } A translation of the extension is shown if this is available. In other case, match or target definition is preceded by a hash. For example, classify target has not translation: $ sudo nft list chain mangle POSTROUTING table ip mangle { chain POSTROUTING { type filter hook postrouting priority -150; policy accept; ip protocol tcp tcp dport 80 counter packets 0 bytes 0 # CLASSIFY set 20:10 ^^^ } } If the whole ruleset is translatable, the users can (re)load it using "nft -f" and get nft native support for all their rules. This patch is joint work by the authors listed below. Signed-off-by: Arturo Borrero Gonzalez Signed-off-by: Pablo M. Bermudo Garay Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter/nf_tables_compat.h | 38 +++++++++++++++++++++++++++++ include/statement.h | 34 ++++++++++++++++++++++++++ include/xt.h | 39 ++++++++++++++++++++++++++++++ 3 files changed, 111 insertions(+) create mode 100644 include/linux/netfilter/nf_tables_compat.h create mode 100644 include/xt.h (limited to 'include') diff --git a/include/linux/netfilter/nf_tables_compat.h b/include/linux/netfilter/nf_tables_compat.h new file mode 100644 index 00000000..8310f5f7 --- /dev/null +++ b/include/linux/netfilter/nf_tables_compat.h @@ -0,0 +1,38 @@ +#ifndef _NFT_COMPAT_NFNETLINK_H_ +#define _NFT_COMPAT_NFNETLINK_H_ + +enum nft_target_attributes { + NFTA_TARGET_UNSPEC, + NFTA_TARGET_NAME, + NFTA_TARGET_REV, + NFTA_TARGET_INFO, + __NFTA_TARGET_MAX +}; +#define NFTA_TARGET_MAX (__NFTA_TARGET_MAX - 1) + +enum nft_match_attributes { + NFTA_MATCH_UNSPEC, + NFTA_MATCH_NAME, + NFTA_MATCH_REV, + NFTA_MATCH_INFO, + __NFTA_MATCH_MAX +}; +#define NFTA_MATCH_MAX (__NFTA_MATCH_MAX - 1) + +#define NFT_COMPAT_NAME_MAX 32 + +enum { + NFNL_MSG_COMPAT_GET, + NFNL_MSG_COMPAT_MAX +}; + +enum { + NFTA_COMPAT_UNSPEC = 0, + NFTA_COMPAT_NAME, + NFTA_COMPAT_REV, + NFTA_COMPAT_TYPE, + __NFTA_COMPAT_MAX, +}; +#define NFTA_COMPAT_MAX (__NFTA_COMPAT_MAX - 1) + +#endif diff --git a/include/statement.h b/include/statement.h index e9313ca7..1b215517 100644 --- a/include/statement.h +++ b/include/statement.h @@ -147,6 +147,37 @@ struct flow_stmt { extern struct stmt *flow_stmt_alloc(const struct location *loc); +/** + * enum nft_xt_type - xtables statement types + * + * @NFT_XT_MATCH: match + * @NFT_XT_TARGET: target + * @NFT_XT_WATCHER: watcher (only for the bridge family) + */ +enum nft_xt_type { + NFT_XT_MATCH = 0, + NFT_XT_TARGET, + NFT_XT_WATCHER, + NFT_XT_MAX +}; + +struct xtables_match; +struct xtables_target; + +struct xt_stmt { + const char *name; + enum nft_xt_type type; + uint32_t proto; + union { + struct xtables_match *match; + struct xtables_target *target; + }; + const char *opts; + void *entry; +}; + +extern struct stmt *xt_stmt_alloc(const struct location *loc); + /** * enum stmt_types - statement types * @@ -168,6 +199,7 @@ extern struct stmt *flow_stmt_alloc(const struct location *loc); * @STMT_SET: set statement * @STMT_DUP: dup statement * @STMT_FWD: forward statement + * @STMT_XT: XT statement */ enum stmt_types { STMT_INVALID, @@ -188,6 +220,7 @@ enum stmt_types { STMT_SET, STMT_DUP, STMT_FWD, + STMT_XT, }; /** @@ -243,6 +276,7 @@ struct stmt { struct set_stmt set; struct dup_stmt dup; struct fwd_stmt fwd; + struct xt_stmt xt; }; }; diff --git a/include/xt.h b/include/xt.h new file mode 100644 index 00000000..753511e6 --- /dev/null +++ b/include/xt.h @@ -0,0 +1,39 @@ +#ifndef _NFT_XT_H_ +#define _NFT_XT_H_ + +struct netlink_linearize_ctx; +struct netlink_parse_ctx; +struct nftnl_expr; +struct rule_pp_ctx; +struct rule; + +#ifdef HAVE_LIBXTABLES +void xt_stmt_xlate(const struct stmt *stmt); +void xt_stmt_release(const struct stmt *stmt); + +void netlink_parse_target(struct netlink_parse_ctx *ctx, + const struct location *loc, + const struct nftnl_expr *nle); +void netlink_parse_match(struct netlink_parse_ctx *ctx, + const struct location *loc, + const struct nftnl_expr *nle); +void stmt_xt_postprocess(struct rule_pp_ctx *rctx, struct stmt *stmt, + struct rule *rule); +#else +static inline void xt_stmt_xlate(const struct stmt *stmt) {} +static inline void xt_stmt_release(const struct stmt *stmt) {} + +#include + +static inline void netlink_parse_target(struct netlink_parse_ctx *ctx, + const struct location *loc, + const struct nftnl_expr *nle) {} +static inline void netlink_parse_match(struct netlink_parse_ctx *ctx, + const struct location *loc, + const struct nftnl_expr *nle) {} +static inline void stmt_xt_postprocess(struct rule_pp_ctx *rctx, + struct stmt *stmt, struct rule *rule) {} + +#endif + +#endif /* _NFT_XT_H_ */ -- cgit v1.2.3