On Sun, Dec 20, 2015 at 11:43:21PM +0530, Shivani Bhardwaj wrote:
> Add translation for ESP Protocol to nftables.
>
> Examples:
>
> $ sudo iptables-translate -A FORWARD -p esp -j ACCEPT
> nft add rule ip filter FORWARD ip protocol esp counter accept
>
> $ sudo iptables-translate -A INPUT --in-interface wan --protocol esp -j ACCEPT
> nft add rule ip filter INPUT iifname wan ip protocol esp counter accept
>
> $ sudo iptables-translate -A INPUT -p 50 -m esp --espspi 500 -j DROP
> nft add rule ip filter INPUT esp spi 500 counter drop
Applied with changes.
> Signed-off-by: Shivani Bhardwaj <shivanib134@xxxxxxxxx>
> ---
> extensions/libxt_esp.c | 23 +++++++++++++++++++++--
> 1 file changed, 21 insertions(+), 2 deletions(-)
>
> diff --git a/extensions/libxt_esp.c b/extensions/libxt_esp.c
> index 294338b..1c198c6 100644
> --- a/extensions/libxt_esp.c
> +++ b/extensions/libxt_esp.c
> @@ -79,10 +79,28 @@ static void esp_save(const void *ip, const struct xt_entry_match *match)
>
> }
>
> +static int esp_xlate(const struct xt_entry_match *match,
> + struct xt_buf *buf, int numeric)
> +{
> + const struct xt_esp *espinfo = (struct xt_esp *)match->data;
> +
> + if (!(espinfo->spis[0] == 0 && espinfo->spis[1] == 0xFFFFFFFF)) {
> + xt_buf_add(buf, "%s esp spi ",
This should be "esp spi%s" instead.
> + (espinfo->invflags & XT_ESP_INV_SPI) ? " !=" : "");
> + if (espinfo->spis[0] != espinfo->spis[1])
> + xt_buf_add(buf, "%u:%u ", espinfo->spis[0],
This should be "%u-%u".
Please, make sure you test all possible branches in your code next
time.
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
