Add translation of ipcomp to nftables.
First value of the parameter 'ipcompspi' will be translated to 'cpi'
parameter in nftables. Parameter 'compres' is not supported in nftables.
Examples:
$ sudo iptables-translate -t filter -A INPUT -m ipcomp --ipcompspi 0x12 -j ACCEPT
nft add rule ip filter INPUT comp cpi 18 counter accept
$ sudo iptables-translate -t filter -A INPUT -m ipcomp ! --ipcompspi 0x12 -j ACCEPT
nft add rule ip filter INPUT comp cpi != 18 counter accept
Signed-off-by: Laura Garcia Liebana <nevola@xxxxxxxxx>
---
extensions/libxt_ipcomp.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/extensions/libxt_ipcomp.c b/extensions/libxt_ipcomp.c
index b157e7b..19b251a 100644
--- a/extensions/libxt_ipcomp.c
+++ b/extensions/libxt_ipcomp.c
@@ -95,6 +95,18 @@ static void comp_save(const void *ip, const struct xt_entry_match *match)
printf(" --compres");
}
+static int comp_xlate(const void *ip, const struct xt_entry_match *match,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_ipcomp *compinfo = (struct xt_ipcomp *)match->data;
+
+ xt_xlate_add(xl, "comp cpi %s%u ",
+ (compinfo->invflags & XT_IPCOMP_INV_SPI) ? "!= " : "",
+ compinfo->spis[0]);
+
+ return 1;
+}
+
static struct xtables_match comp_mt_reg = {
.name = "ipcomp",
.version = XTABLES_VERSION,
@@ -106,6 +118,7 @@ static struct xtables_match comp_mt_reg = {
.save = comp_save,
.x6_parse = comp_parse,
.x6_options = comp_opts,
+ .xlate = comp_xlate,
};
void
--
2.7.0
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
