extensions: mh: Save/xlate inverted full ranges

Also translate '-m mh' into an exthdr exists match unless '-p mh' is
also present. The latter is converted into 'meta l4proto mh' which might
need fixing itself at a later point.

Fixes: 6d4b93485055a ("extensions: libip6t_mh: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/extensions/libip6t_mh.c b/extensions/libip6t_mh.c
index 1410d324b5d42d11a8a7a34e3fa65e78391252db..3f80e28ec94c8a4da94279eee98b428c01e7eafa 100644 (file)
--- a/extensions/libip6t_mh.c
+++ b/extensions/libip6t_mh.c
@@ -17,6 +17,7 @@
 #include <stdlib.h>
 #include <xtables.h>
 #include <linux/netfilter_ipv6/ip6t_mh.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
 
 enum {
        O_MH_TYPE = 0,
@@ -154,11 +155,16 @@ static void print_type(uint8_t type, int numeric)
                printf("%s", name);
 }
 
+static bool skip_types_match(uint8_t min, uint8_t max, bool inv)
+{
+       return min == 0 && max == UINT8_MAX && !inv;
+}
+
 static void print_types(uint8_t min, uint8_t max, int invert, int numeric)
 {
        const char *inv = invert ? "!" : "";
 
-       if (min != 0 || max != 0xFF || invert) {
+       if (!skip_types_match(min, max, invert)) {
                printf(" ");
                if (min == max) {
                        printf("%s", inv);
@@ -189,11 +195,12 @@ static void mh_print(const void *ip, const struct xt_entry_match *match,
 static void mh_save(const void *ip, const struct xt_entry_match *match)
 {
        const struct ip6t_mh *mhinfo = (struct ip6t_mh *)match->data;
+       bool inv_type = mhinfo->invflags & IP6T_MH_INV_TYPE;
 
-       if (mhinfo->types[0] == 0 && mhinfo->types[1] == 0xFF)
+       if (skip_types_match(mhinfo->types[0], mhinfo->types[1], inv_type))
                return;
 
-       if (mhinfo->invflags & IP6T_MH_INV_TYPE)
+       if (inv_type)
                printf(" !");
 
        if (mhinfo->types[0] != mhinfo->types[1])
@@ -206,9 +213,14 @@ static int mh_xlate(struct xt_xlate *xl,
                    const struct xt_xlate_mt_params *params)
 {
        const struct ip6t_mh *mhinfo = (struct ip6t_mh *)params->match->data;
+       bool inv_type = mhinfo->invflags & IP6T_MH_INV_TYPE;
+       uint8_t proto = ((const struct ip6t_ip6 *)params->ip)->proto;
 
-       if (mhinfo->types[0] == 0 && mhinfo->types[1] == 0xff)
+       if (skip_types_match(mhinfo->types[0], mhinfo->types[1], inv_type)) {
+               if (proto != IPPROTO_MH)
+                       xt_xlate_add(xl, "exthdr mh exists");
                return 1;
+       }
 
        if (mhinfo->types[0] != mhinfo->types[1])
                xt_xlate_add(xl, "mh type %s%u-%u",

diff --git a/extensions/libip6t_mh.t b/extensions/libip6t_mh.t
index 151eabe631f58354ec7a34808929c1240fff3ad2..b628e9e33fd3ed0806dd96ca9eb2df65b2093940 100644 (file)
--- a/extensions/libip6t_mh.t
+++ b/extensions/libip6t_mh.t
@@ -5,7 +5,7 @@
 -p mobility-header -m mh ! --mh-type 4;=;OK
 -p mobility-header -m mh --mh-type 4:123;=;OK
 -p mobility-header -m mh --mh-type :;-p mobility-header -m mh;OK
--p mobility-header -m mh ! --mh-type :;-p mobility-header -m mh;OK
+-p mobility-header -m mh ! --mh-type :;-p mobility-header -m mh ! --mh-type 0:255;OK
 -p mobility-header -m mh --mh-type :3;-p mobility-header -m mh --mh-type 0:3;OK
 -p mobility-header -m mh --mh-type 3:;-p mobility-header -m mh --mh-type 3:255;OK
 -p mobility-header -m mh --mh-type 3:3;-p mobility-header -m mh --mh-type 3;OK

diff --git a/extensions/libip6t_mh.txlate b/extensions/libip6t_mh.txlate
index 825c956905c22c95677a9ff0c6d135e8b429cf72..3364ce574468f36fc1600d2742edd49431bc6f22 100644 (file)
--- a/extensions/libip6t_mh.txlate
+++ b/extensions/libip6t_mh.txlate
@@ -8,7 +8,7 @@ ip6tables-translate -A INPUT -p mh --mh-type 0:255 -j ACCEPT
 nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept'
 
 ip6tables-translate -A INPUT -m mh --mh-type 0:255 -j ACCEPT
-nft 'add rule ip6 filter INPUT counter accept'
+nft 'add rule ip6 filter INPUT exthdr mh exists counter accept'
 
 ip6tables-translate -A INPUT -p mh ! --mh-type 0:255 -j ACCEPT
-nft 'add rule ip6 filter INPUT meta l4proto mobility-header counter accept'
+nft 'add rule ip6 filter INPUT meta l4proto mobility-header mh type != 0-255 counter accept'