[PATCH] iptables: extensions: libxt_ecn: Add translation to nft

rodanber@xxxxxxxxx · Tue, 28 Jun 2016 21:58:57 +0200

From: Roberto García <rodanber@xxxxxxxxx>

Add translation of the ecn match to nftables.

Examples:
  # iptables-translate -A INPUT -m ecn --ecn-ip-ect 0
  nft add rule ip filter INPUT ip ecn not-ect counter

  # iptables-translate -A INPUT -m ecn --ecn-ip-ect 1
  nft add rule ip filter INPUT ip ecn ect1 counter

  # iptables-translate -A INPUT -m ecn --ecn-ip-ect 2
  nft add rule ip filter INPUT ip ecn ect0 counter

  # iptables-translate -A INPUT -m ecn --ecn-ip-ect 3
  nft add rule ip filter INPUT ip ecn ce counter

  # iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 0
  nft add rule ip filter INPUT ip ecn != not-ect counter

  # iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 1
  nft add rule ip filter INPUT ip ecn != ect1 counter

  # iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 2
  nft add rule ip filter INPUT ip ecn != ect0 counter

  # iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 3
  nft add rule ip filter INPUT ip ecn != ce counter

Signed-off-by: Roberto García <rodanber@xxxxxxxxx>
---
 extensions/libxt_ecn.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/extensions/libxt_ecn.c b/extensions/libxt_ecn.c
index 286782a..8e0c35b 100644
--- a/extensions/libxt_ecn.c
+++ b/extensions/libxt_ecn.c
@@ -118,6 +118,50 @@ static void ecn_save(const void *ip, const struct xt_entry_match *match)
 	}
 }
 
+static int ecn_xlate(const void *ip, const struct xt_entry_match *match,
+		     struct xt_xlate *xl, int numeric)
+{
+	const struct xt_ecn_info *einfo =
+		(const struct xt_ecn_info *)match->data;
+
+	if (einfo->operation & XT_ECN_OP_MATCH_IP) {
+		xt_xlate_add(xl, "ip ecn ");
+		if (einfo->invert) {
+			switch (einfo->ip_ect) {
+			case 0:
+				xt_xlate_add(xl, "!= not-ect ");
+				break;
+			case 1:
+				xt_xlate_add(xl, "!= ect1 ");
+				break;
+			case 2:
+				xt_xlate_add(xl, "!= ect0 ");
+				break;
+			case 3:
+				xt_xlate_add(xl, "!= ce ");
+				break;
+			}
+		} else {
+			switch (einfo->ip_ect) {
+			case 0:
+				xt_xlate_add(xl, "not-ect ");
+				break;
+			case 1:
+				xt_xlate_add(xl, "ect1 ");
+				break;
+			case 2:
+				xt_xlate_add(xl, "ect0 ");
+				break;
+			case 3:
+				xt_xlate_add(xl, "ce ");
+				break;
+			}
+		}
+		return 1;
+	} else
+		return 0;
+}
+
 static struct xtables_match ecn_mt_reg = {
 	.name          = "ecn",
 	.version       = XTABLES_VERSION,
@@ -130,6 +174,7 @@ static struct xtables_match ecn_mt_reg = {
 	.x6_parse      = ecn_parse,
 	.x6_fcheck     = ecn_check,
 	.x6_options    = ecn_opts,
+	.xlate	       = ecn_xlate,
 };
 
 void _init(void)
-- 
2.8.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






