Re: [PATCH] iptables: extensions: libxt_ecn: Add translation to nft

Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx> · Wed, 29 Jun 2016 08:41:20 +0200

On 28 June 2016 at 21:58,  <rodanber@xxxxxxxxx> wrote:
> From: Roberto García <rodanber@xxxxxxxxx>
>
> Add translation of the ecn match to nftables.
>
> Examples:
>   # iptables-translate -A INPUT -m ecn --ecn-ip-ect 0
>   nft add rule ip filter INPUT ip ecn not-ect counter
>
>   # iptables-translate -A INPUT -m ecn --ecn-ip-ect 1
>   nft add rule ip filter INPUT ip ecn ect1 counter
>
>   # iptables-translate -A INPUT -m ecn --ecn-ip-ect 2
>   nft add rule ip filter INPUT ip ecn ect0 counter
>
>   # iptables-translate -A INPUT -m ecn --ecn-ip-ect 3
>   nft add rule ip filter INPUT ip ecn ce counter
>
>   # iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 0
>   nft add rule ip filter INPUT ip ecn != not-ect counter
>
>   # iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 1
>   nft add rule ip filter INPUT ip ecn != ect1 counter
>
>   # iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 2
>   nft add rule ip filter INPUT ip ecn != ect0 counter
>
>   # iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 3
>   nft add rule ip filter INPUT ip ecn != ce counter
>
> Signed-off-by: Roberto García <rodanber@xxxxxxxxx>
> ---
>  extensions/libxt_ecn.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 45 insertions(+)
>
> diff --git a/extensions/libxt_ecn.c b/extensions/libxt_ecn.c
> index 286782a..8e0c35b 100644
> --- a/extensions/libxt_ecn.c
> +++ b/extensions/libxt_ecn.c
> @@ -118,6 +118,50 @@ static void ecn_save(const void *ip, const struct xt_entry_match *match)
>         }
>  }
>
> +static int ecn_xlate(const void *ip, const struct xt_entry_match *match,
> +                    struct xt_xlate *xl, int numeric)
> +{
> +       const struct xt_ecn_info *einfo =
> +               (const struct xt_ecn_info *)match->data;
> +
> +       if (einfo->operation & XT_ECN_OP_MATCH_IP) {
> +               xt_xlate_add(xl, "ip ecn ");
> +               if (einfo->invert) {
> +                       switch (einfo->ip_ect) {
> +                       case 0:
> +                               xt_xlate_add(xl, "!= not-ect ");
> +                               break;
> +                       case 1:
> +                               xt_xlate_add(xl, "!= ect1 ");
> +                               break;
> +                       case 2:
> +                               xt_xlate_add(xl, "!= ect0 ");
> +                               break;
> +                       case 3:
> +                               xt_xlate_add(xl, "!= ce ");
> +                               break;
> +                       }
> +               } else {
> +                       switch (einfo->ip_ect) {
> +                       case 0:
> +                               xt_xlate_add(xl, "not-ect ");
> +                               break;
> +                       case 1:
> +                               xt_xlate_add(xl, "ect1 ");
> +                               break;
> +                       case 2:
> +                               xt_xlate_add(xl, "ect0 ");
> +                               break;
> +                       case 3:
> +                               xt_xlate_add(xl, "ce ");
> +                               break;

I would try to compact a bit the code, ie:

[...]
xt_xlate_add(xl, "ip ecn ");

if (einfo->invert)
   xt_xlate_add(xl, "!= ");

switch (einfo->ip_ect) {
case 0:
   xt_xlate_add(xl, "not-ect");
   break;
[...]

-- 
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html