extensions: frag: Save/xlate inverted full ranges

Also translate plain '-m frag' match into an exthdr exists one.

Fixes: bd5bbc7a0fbd8 ("extensions: libip6t_frag: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/extensions/libip6t_frag.c b/extensions/libip6t_frag.c
index 49c787e709a9e8ffdbb60a93724f1a94f1070b2a..ed7fe10a4716dc6a56bdfaff2db339f8f41ce088 100644 (file)
--- a/extensions/libip6t_frag.c
+++ b/extensions/libip6t_frag.c
@@ -89,13 +89,18 @@ static void frag_parse(struct xt_option_call *cb)
        }
 }
 
+static bool skip_ids_match(uint32_t min, uint32_t max, bool inv)
+{
+       return min == 0 && max == UINT32_MAX && !inv;
+}
+
 static void
 print_ids(const char *name, uint32_t min, uint32_t max,
            int invert)
 {
        const char *inv = invert ? "!" : "";
 
-       if (min != 0 || max != 0xFFFFFFFF || invert) {
+       if (!skip_ids_match(min, max, invert)) {
                printf("%s", name);
                if (min == max)
                        printf(":%s%u", inv, min);
@@ -139,11 +144,10 @@ static void frag_print(const void *ip, const struct xt_entry_match *match,
 static void frag_save(const void *ip, const struct xt_entry_match *match)
 {
        const struct ip6t_frag *fraginfo = (struct ip6t_frag *)match->data;
+       bool inv_ids = fraginfo->invflags & IP6T_FRAG_INV_IDS;
 
-       if (!(fraginfo->ids[0] == 0
-           && fraginfo->ids[1] == 0xFFFFFFFF)) {
-               printf("%s --fragid ",
-                       (fraginfo->invflags & IP6T_FRAG_INV_IDS) ? " !" : "");
+       if (!skip_ids_match(fraginfo->ids[0], fraginfo->ids[1], inv_ids)) {
+               printf("%s --fragid ", inv_ids ? " !" : "");
                if (fraginfo->ids[0]
                    != fraginfo->ids[1])
                        printf("%u:%u",
@@ -173,22 +177,27 @@ static void frag_save(const void *ip, const struct xt_entry_match *match)
                printf(" --fraglast");
 }
 
+#define XLATE_FLAGS (IP6T_FRAG_RES | IP6T_FRAG_FST | \
+                    IP6T_FRAG_MF | IP6T_FRAG_NMF)
+
 static int frag_xlate(struct xt_xlate *xl,
                      const struct xt_xlate_mt_params *params)
 {
        const struct ip6t_frag *fraginfo =
                (struct ip6t_frag *)params->match->data;
+       bool inv_ids = fraginfo->invflags & IP6T_FRAG_INV_IDS;
 
-       if (!(fraginfo->ids[0] == 0 && fraginfo->ids[1] == 0xFFFFFFFF)) {
-               xt_xlate_add(xl, "frag id %s",
-                            (fraginfo->invflags & IP6T_FRAG_INV_IDS) ?
-                            "!= " : "");
+       if (!skip_ids_match(fraginfo->ids[0], fraginfo->ids[1], inv_ids)) {
+               xt_xlate_add(xl, "frag id %s", inv_ids ?  "!= " : "");
                if (fraginfo->ids[0] != fraginfo->ids[1])
                        xt_xlate_add(xl, "%u-%u", fraginfo->ids[0],
                                     fraginfo->ids[1]);
                else
                        xt_xlate_add(xl, "%u", fraginfo->ids[0]);
 
+       } else if (!(fraginfo->flags & XLATE_FLAGS)) {
+               xt_xlate_add(xl, "exthdr frag exists");
+               return 1;
        }
 
        /* ignore ineffective IP6T_FRAG_LEN bit */

diff --git a/extensions/libip6t_frag.t b/extensions/libip6t_frag.t
index 57f7da27d5e1d8deb282d6fcf39d74e31e3709ba..ea7ac8995c27c85648fbbf4eecaa28389a825349 100644 (file)
--- a/extensions/libip6t_frag.t
+++ b/extensions/libip6t_frag.t
@@ -1,6 +1,6 @@
 :INPUT,FORWARD,OUTPUT
 -m frag --fragid :;-m frag;OK
--m frag ! --fragid :;-m frag;OK
+-m frag ! --fragid :;-m frag ! --fragid 0:4294967295;OK
 -m frag --fragid :42;-m frag --fragid 0:42;OK
 -m frag --fragid 42:;-m frag --fragid 42:4294967295;OK
 -m frag --fragid 1:42;=;OK

diff --git a/extensions/libip6t_frag.txlate b/extensions/libip6t_frag.txlate
index 2b6585afbc82605ff21cd707ac7ebc4e2dd1b3ae..e250587e7682c30f5935f25a0da2e5c246bc357a 100644 (file)
--- a/extensions/libip6t_frag.txlate
+++ b/extensions/libip6t_frag.txlate
@@ -17,7 +17,7 @@ ip6tables-translate -t filter -A INPUT -m frag --fraglast -j ACCEPT
 nft 'add rule ip6 filter INPUT frag more-fragments 0 counter accept'
 
 ip6tables-translate -t filter -A INPUT -m frag --fragid 0:4294967295
-nft 'add rule ip6 filter INPUT counter'
+nft 'add rule ip6 filter INPUT exthdr frag exists counter'
 
 ip6tables-translate -t filter -A INPUT -m frag ! --fragid 0:4294967295
-nft 'add rule ip6 filter INPUT counter'
+nft 'add rule ip6 filter INPUT frag id != 0-4294967295 counter'