From d45fb0a4077304a7e3f2c44bbac1bde3a9b49a77 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Tue, 5 Mar 2024 16:28:29 +0100 Subject: xlate: Improve redundant l4proto match avoidance xtables-translate tries to avoid 'ip protocol'/'meta l4proto' matches if following expressions add this as dependency anyway. E.g.: | # iptables-translate -A FOO -p tcp -m tcp --dport 22 -j ACCEPT | nft 'add rule ip filter FOO tcp dport 22 counter accept' This worked by searching protocol name in loaded matches, but that approach is flawed as the protocol name and corresponding extension may differ ("mobility-header" vs. "mh"). Improve this by searching for all names (cached or resolved) for a given protocol number. Signed-off-by: Phil Sutter --- iptables/nft-ipv6.c | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) (limited to 'iptables/nft-ipv6.c') diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index c371ba8c..b184f8af 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -184,6 +184,7 @@ static void xlate_ipv6_addr(const char *selector, const struct in6_addr *addr, static int nft_ipv6_xlate(const struct iptables_command_state *cs, struct xt_xlate *xl) { + uint16_t proto = cs->fw6.ipv6.proto; const char *comment; int ret; @@ -192,18 +193,16 @@ static int nft_ipv6_xlate(const struct iptables_command_state *cs, xlate_ifname(xl, "oifname", cs->fw6.ipv6.outiface, cs->fw6.ipv6.invflags & IP6T_INV_VIA_OUT); - if (cs->fw6.ipv6.proto != 0) { - const char *pname = proto_to_name(cs->fw6.ipv6.proto, 0); - - if (!pname || !xlate_find_match(cs, pname)) { - xt_xlate_add(xl, "meta l4proto"); - if (cs->fw6.ipv6.invflags & IP6T_INV_PROTO) - xt_xlate_add(xl, " !="); - if (pname) - xt_xlate_add(xl, "%s", pname); - else - xt_xlate_add(xl, "%hu", cs->fw6.ipv6.proto); - } + if (proto != 0 && !xlate_find_protomatch(cs, proto)) { + const char *pname = proto_to_name(proto, 0); + + xt_xlate_add(xl, "meta l4proto"); + if (cs->fw6.ipv6.invflags & IP6T_INV_PROTO) + xt_xlate_add(xl, " !="); + if (pname) + xt_xlate_add(xl, "%s", pname); + else + xt_xlate_add(xl, "%hu", proto); } xlate_ipv6_addr("ip6 saddr", &cs->fw6.ipv6.src, &cs->fw6.ipv6.smsk, -- cgit v1.2.3