Add translation for dccp to nftables. Full translation of this match awaits the support for --dccp-option. Examples: $ sudo iptables-translate -A INPUT -p dccp -m dccp --sport 100 nft add rule ip filter INPUT dccp sport 100 counter $ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100:200 nft add rule ip filter INPUT dccp dport 100-200 counter $ sudo iptables-translate -A INPUT -p dccp -m dccp ! --dport 100 nft add rule ip filter INPUT dccp dport != 100 counter $ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100 --dccp-types REQUEST,RESPONSE,DATA,ACK,DATAACK,CLOSEREQ,CLOSE,SYNC,SYNCACK nft add rule ip filter INPUT dccp dport 100 dccp type {request, response, data, ack, dataack, closereq, close, sync, syncack} counter Signed-off-by: Shivani Bhardwaj <shivanib134@xxxxxxxxx> --- Changes in v2: Fix bugs and remove invalid dccp type Following is not added in commit message as it is not translation code issue: * Since inversion of set is not possible in nftables, using dccp with rules like ...dccp type != {request, response}.. * dccp type reset is going to throw errors. extensions/libxt_dccp.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c index a35cabb..8bccd7a 100644 --- a/extensions/libxt_dccp.c +++ b/extensions/libxt_dccp.c @@ -277,6 +277,94 @@ static void dccp_save(const void *ip, const struct xt_entry_match *match) } } +static const char *const dccp_pkt_types_xlate[] = { + [DCCP_PKT_REQUEST] = "request", + [DCCP_PKT_RESPONSE] = "response", + [DCCP_PKT_DATA] = "data", + [DCCP_PKT_ACK] = "ack", + [DCCP_PKT_DATAACK] = "dataack", + [DCCP_PKT_CLOSEREQ] = "closereq", + [DCCP_PKT_CLOSE] = "close", + [DCCP_PKT_RESET] = "reset", + [DCCP_PKT_SYNC] = "sync", + [DCCP_PKT_SYNCACK] = "syncack", +}; + +static int dccp_type_xlate(const struct xt_dccp_info *einfo, + struct xt_xlate *xl) +{ + bool have_type = false, set_need = false; + uint16_t types = einfo->typemask; + + if (types & (1 << DCCP_PKT_INVALID)) + return 0; + + xt_xlate_add(xl, "dccp type%s ", einfo->invflags ? " !=" : ""); + + if ((types != 0) && !(types == (types & -types))) { + xt_xlate_add(xl, "{"); + set_need = true; + } + + while (types) { + unsigned int i; + + for (i = 0; !(types & (1 << i)); i++); + + if (have_type) + xt_xlate_add(xl, ", "); + else + have_type = true; + + xt_xlate_add(xl, "%s", dccp_pkt_types_xlate[i]); + + types &= ~(1 << i); + } + + if (set_need) + xt_xlate_add(xl, "}"); + + xt_xlate_add(xl, " "); + + return 1; +} + +static int dccp_xlate(const struct xt_entry_match *match, + struct xt_xlate *xl, int numeric) +{ + const struct xt_dccp_info *einfo = + (const struct xt_dccp_info *)match->data; + int ret = 1; + + xt_xlate_add(xl, "dccp "); + + if (einfo->flags & XT_DCCP_SRC_PORTS) { + if (einfo->spts[0] != einfo->spts[1]) + xt_xlate_add(xl, "sport%s %u-%u ", + einfo->invflags & XT_DCCP_SRC_PORTS ? " !=" : "", + einfo->spts[0], einfo->spts[1]); + else + xt_xlate_add(xl, "sport%s %u ", + einfo->invflags & XT_DCCP_SRC_PORTS ? " !=" : "", + einfo->spts[0]); + } + + if (einfo->flags & XT_DCCP_DEST_PORTS) { + if (einfo->dpts[0] != einfo->dpts[1]) + xt_xlate_add(xl, "dport%s %u-%u ", + einfo->invflags & XT_DCCP_DEST_PORTS ? " !=" : "", + einfo->dpts[0], einfo->dpts[1]); + else + xt_xlate_add(xl, "dport%s %u ", + einfo->invflags & XT_DCCP_DEST_PORTS ? " !=" : "", + einfo->dpts[0]); + } + + if (einfo->flags & XT_DCCP_TYPE) + ret = dccp_type_xlate(einfo, xl); + + return ret; +} static struct xtables_match dccp_match = { .name = "dccp", .family = NFPROTO_UNSPEC, @@ -288,6 +376,7 @@ static struct xtables_match dccp_match = { .save = dccp_save, .x6_parse = dccp_parse, .x6_options = dccp_opts, + .xlate = dccp_xlate, }; void _init(void) -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html