On Sun, Jun 05, 2016 at 07:57:23PM +0200, Laura Garcia Liebana wrote:
> Add translation for dscp to nftables, for both ipv4 and ipv6.
>
> Examples:
>
> $ sudo iptables-translate -t filter -A INPUT -m dscp --dscp 0x32 -j ACCEPT
> nft add rule ip filter INPUT ip dscp 0x32 counter accept
>
> $ sudo ip6tables-translate -t filter -A INPUT -m dscp --dscp 0x32 -j ACCEPT
> nft add rule ip6 filter INPUT ip6 dscp != 0x32 counter accept
>
> Signed-off-by: Laura Garcia Liebana <nevola@xxxxxxxxx>
> ---
> extensions/libxt_dscp.c | 92 ++++++++++++++++++++++++++++++++++++++++++-------
> 1 file changed, 79 insertions(+), 13 deletions(-)
>
> diff --git a/extensions/libxt_dscp.c b/extensions/libxt_dscp.c
> index 02b22a4..4b88c5a 100644
> --- a/extensions/libxt_dscp.c
> +++ b/extensions/libxt_dscp.c
> @@ -91,21 +91,87 @@ static void dscp_save(const void *ip, const struct xt_entry_match *match)
> printf("%s --dscp 0x%02x", dinfo->invert ? " !" : "", dinfo->dscp);
> }
>
> -static struct xtables_match dscp_match = {
> - .family = NFPROTO_UNSPEC,
> - .name = "dscp",
> - .version = XTABLES_VERSION,
> - .size = XT_ALIGN(sizeof(struct xt_dscp_info)),
> - .userspacesize = XT_ALIGN(sizeof(struct xt_dscp_info)),
> - .help = dscp_help,
> - .print = dscp_print,
> - .save = dscp_save,
> - .x6_parse = dscp_parse,
> - .x6_fcheck = dscp_check,
> - .x6_options = dscp_opts,
> +static int __dscp_xlate(const void *ip, const struct xt_entry_match *match,
> + struct xt_xlate *xl, int numeric)
> +{
> + const struct xt_dscp_info *dinfo =
> + (const struct xt_dscp_info *)match->data;
> +
> + xt_xlate_add(xl, "dscp %s0x%02x ",
> + dinfo->invert ? "!= " : "",
> + dinfo->dscp);
> +
> + return 1;
> +}
> +
> +static int dscp_xlate(const void *ip, const struct xt_entry_match *match,
> + struct xt_xlate *xl, int numeric)
> +{
> + xt_xlate_add(xl, "ip ");
> +
> + return __dscp_xlate(ip, match, xl, numeric);
> +}
> +
> +static int dscp_xlate6(const void *ip, const struct xt_entry_match *match,
> + struct xt_xlate *xl, int numeric)
> +{
> + xt_xlate_add(xl, "ip6 ");
> +
> + return __dscp_xlate(ip, match, xl, numeric);
> +}
> +
> +static int dscp_xlate_uns(const void *ip, const struct xt_entry_match *match,
> + struct xt_xlate *xl, int numeric)
> +{
> + return 0;
> +}
> +
> +static struct xtables_match dscp_mt_reg[] = {
> + {
> + .family = NFPROTO_IPV4,
> + .name = "dscp",
> + .version = XTABLES_VERSION,
> + .size = XT_ALIGN(sizeof(struct xt_dscp_info)),
> + .userspacesize = XT_ALIGN(sizeof(struct xt_dscp_info)),
> + .help = dscp_help,
> + .print = dscp_print,
> + .save = dscp_save,
> + .x6_parse = dscp_parse,
> + .x6_fcheck = dscp_check,
> + .x6_options = dscp_opts,
> + .xlate = dscp_xlate,
> + },
> + {
> + .family = NFPROTO_IPV6,
> + .name = "dscp",
> + .version = XTABLES_VERSION,
> + .size = XT_ALIGN(sizeof(struct xt_dscp_info)),
> + .userspacesize = XT_ALIGN(sizeof(struct xt_dscp_info)),
> + .help = dscp_help,
> + .print = dscp_print,
> + .save = dscp_save,
> + .x6_parse = dscp_parse,
> + .x6_fcheck = dscp_check,
> + .x6_options = dscp_opts,
> + .xlate = dscp_xlate6,
> + },
> + {
> + .family = NFPROTO_UNSPEC,
> + .name = "dscp",
> + .version = XTABLES_VERSION,
> + .size = XT_ALIGN(sizeof(struct xt_dscp_info)),
> + .userspacesize = XT_ALIGN(sizeof(struct xt_dscp_info)),
> + .help = dscp_help,
> + .print = dscp_print,
> + .save = dscp_save,
> + .x6_parse = dscp_parse,
> + .x6_fcheck = dscp_check,
> + .x6_options = dscp_opts,
> + .xlate = dscp_xlate_uns,
> + },
I think you can remove the NFPROTO_UNSPEC now that you registered one
specifically for ipv4 and another for ipv6.
iptables only support ipv4 and ipv6 indeed.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
