xtables-translate: Leverage stored protocol names

Align output of ip(6)tables-translate for --protocol arguments with that
of ip(6)tables -L/-S by calling proto_to_name() from xshared.c. The
latter will consult xtables_chain_protos list first to make sure (the
right) names are used for "common" protocol values and otherwise falls
back to getprotobynumber() which it replaces here.

Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1738
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/extensions/generic.txlate b/extensions/generic.txlate
index b79239f1a063755b5c9cb5c29d88a474636a1088..9ad1266dc623ce9803d0f4c31c7577d9b703b9a9 100644 (file)
--- a/extensions/generic.txlate
+++ b/extensions/generic.txlate
@@ -64,6 +64,36 @@ nft 'insert rule ip6 filter INPUT counter'
 ip6tables-translate -I INPUT ! -s ::/0
 nft 'insert rule ip6 filter INPUT ip6 saddr != ::/0 counter'
 
+iptables-translate -A FORWARD -p 132
+nft 'add rule ip filter FORWARD ip protocol sctp counter'
+
+ip6tables-translate -A FORWARD -p 132
+nft 'add rule ip6 filter FORWARD meta l4proto sctp counter'
+
+iptables-translate -A FORWARD ! -p 132
+nft 'add rule ip filter FORWARD ip protocol != sctp counter'
+
+ip6tables-translate -A FORWARD ! -p 132
+nft 'add rule ip6 filter FORWARD meta l4proto != sctp counter'
+
+iptables-translate -A FORWARD -p 141
+nft 'add rule ip filter FORWARD ip protocol 141 counter'
+
+ip6tables-translate -A FORWARD -p 141
+nft 'add rule ip6 filter FORWARD meta l4proto 141 counter'
+
+iptables-translate -A FORWARD ! -p 141
+nft 'add rule ip filter FORWARD ip protocol != 141 counter'
+
+ip6tables-translate -A FORWARD ! -p 141
+nft 'add rule ip6 filter FORWARD meta l4proto != 141 counter'
+
+iptables-translate -A FORWARD -m tcp --dport 22 -p tcp
+nft 'add rule ip filter FORWARD tcp dport 22 counter'
+
+ip6tables-translate -A FORWARD -m tcp --dport 22 -p tcp
+nft 'add rule ip6 filter FORWARD tcp dport 22 counter'
+
 ebtables-translate -I INPUT -i iname --logical-in ilogname -s 0:0:0:0:0:0
 nft 'insert rule bridge filter INPUT iifname "iname" meta ibrname "ilogname" ether saddr 00:00:00:00:00:00 counter'
 

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 979880a3e770233c2381acbaf143d1bdba285d9a..0ce8477f76c2a5cc6fa943c75c771e658ed56fc2 100644 (file)
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -214,20 +214,16 @@ static int nft_ipv4_xlate(const struct iptables_command_state *cs,
        }
 
        if (cs->fw.ip.proto != 0) {
-               const struct protoent *pent =
-                       getprotobynumber(cs->fw.ip.proto);
-               char protonum[sizeof("65535")];
-               const char *name = protonum;
-
-               snprintf(protonum, sizeof(protonum), "%u",
-                        cs->fw.ip.proto);
-
-               if (!pent || !xlate_find_match(cs, pent->p_name)) {
-                       if (pent)
-                               name = pent->p_name;
-                       xt_xlate_add(xl, "ip protocol %s%s ",
-                                  cs->fw.ip.invflags & IPT_INV_PROTO ?
-                                       "!= " : "", name);
+               const char *pname = proto_to_name(cs->fw.ip.proto, 0);
+
+               if (!pname || !xlate_find_match(cs, pname)) {
+                       xt_xlate_add(xl, "ip protocol");
+                       if (cs->fw.ip.invflags & IPT_INV_PROTO)
+                               xt_xlate_add(xl, " !=");
+                       if (pname)
+                               xt_xlate_add(xl, "%s", pname);
+                       else
+                               xt_xlate_add(xl, "%hu", cs->fw.ip.proto);
                }
        }
 

diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index e4b1714d00c2f900f19507d62373f6de8d031b99..c371ba8c938c7fe253ca93d9c2ee4587fc6f81be 100644 (file)
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -193,22 +193,17 @@ static int nft_ipv6_xlate(const struct iptables_command_state *cs,
                     cs->fw6.ipv6.invflags & IP6T_INV_VIA_OUT);
 
        if (cs->fw6.ipv6.proto != 0) {
-               const struct protoent *pent =
-                       getprotobynumber(cs->fw6.ipv6.proto);
-               char protonum[sizeof("65535")];
-               const char *name = protonum;
-
-               snprintf(protonum, sizeof(protonum), "%u",
-                        cs->fw6.ipv6.proto);
-
-               if (!pent || !xlate_find_match(cs, pent->p_name)) {
-                       if (pent)
-                               name = pent->p_name;
-                       xt_xlate_add(xl, "meta l4proto %s%s ",
-                                  cs->fw6.ipv6.invflags & IP6T_INV_PROTO ?
-                                       "!= " : "", name);
+               const char *pname = proto_to_name(cs->fw6.ipv6.proto, 0);
+
+               if (!pname || !xlate_find_match(cs, pname)) {
+                       xt_xlate_add(xl, "meta l4proto");
+                       if (cs->fw6.ipv6.invflags & IP6T_INV_PROTO)
+                               xt_xlate_add(xl, " !=");
+                       if (pname)
+                               xt_xlate_add(xl, "%s", pname);
+                       else
+                               xt_xlate_add(xl, "%hu", cs->fw6.ipv6.proto);
                }
-
        }
 
        xlate_ipv6_addr("ip6 saddr", &cs->fw6.ipv6.src, &cs->fw6.ipv6.smsk,

diff --git a/iptables/xshared.c b/iptables/xshared.c
index bff7d60ce13908f23372d52b947df857a757c65d..b998dd75aaf0525423312e82232f970ef6d868b6 100644 (file)
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -62,7 +62,7 @@ static void print_extension_helps(const struct xtables_target *t,
        }
 }
 
-static const char *
+const char *
 proto_to_name(uint16_t proto, int nolookup)
 {
        unsigned int i;

diff --git a/iptables/xshared.h b/iptables/xshared.h
index 7d4035ec03e52b60e97fc67aab3c9004c2e7f00d..26c492ebee9ece23def634fed52346afd0070d49 100644 (file)
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -335,4 +335,6 @@ void iface_to_mask(const char *ifname, unsigned char *mask);
 
 void xtables_clear_args(struct xtables_args *args);
 
+const char *proto_to_name(uint16_t proto, int nolookup);
+
 #endif /* IPTABLES_XSHARED_H */