Re: [PATCH] iptables: extensions: libxt_ecn: Add translation to nft

Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx> · Wed, 29 Jun 2016 11:28:35 +0200

On 29 June 2016 at 11:24,  <rodanber@xxxxxxxxx> wrote:
> From: Roberto García <rodanber@xxxxxxxxx>
>
> Add translation of the ecn match to nftables.
>
> Examples:
>   # iptables-translate -A INPUT -m ecn --ecn-ip-ect 0
>   nft add rule ip filter INPUT ip ecn not-ect counter
>
>   # iptables-translate -A INPUT -m ecn --ecn-ip-ect 1
>   nft add rule ip filter INPUT ip ecn ect1 counter
>
>   # iptables-translate -A INPUT -m ecn --ecn-ip-ect 2
>   nft add rule ip filter INPUT ip ecn ect0 counter
>
>   # iptables-translate -A INPUT -m ecn --ecn-ip-ect 3
>   nft add rule ip filter INPUT ip ecn ce counter
>
>   # iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 0
>   nft add rule ip filter INPUT ip ecn != not-ect counter
>
>   # iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 1
>   nft add rule ip filter INPUT ip ecn != ect1 counter
>
>   # iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 2
>   nft add rule ip filter INPUT ip ecn != ect0 counter
>
>   # iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 3
>   nft add rule ip filter INPUT ip ecn != ce counter
>
> Signed-off-by: Roberto García <rodanber@xxxxxxxxx>
> ---
>  extensions/libxt_ecn.c | 30 ++++++++++++++++++++++++++++++
>  1 file changed, 30 insertions(+)
>
> diff --git a/extensions/libxt_ecn.c b/extensions/libxt_ecn.c
> index 286782a..4efdda3 100644
> --- a/extensions/libxt_ecn.c
> +++ b/extensions/libxt_ecn.c
> @@ -118,6 +118,35 @@ static void ecn_save(const void *ip, const struct xt_entry_match *match)
>         }
>  }
>
> +static int ecn_xlate(const void *ip, const struct xt_entry_match *match,
> +                    struct xt_xlate *xl, int numeric)
> +{
> +       const struct xt_ecn_info *einfo =
> +               (const struct xt_ecn_info *)match->data;
> +
> +       if (einfo->operation & XT_ECN_OP_MATCH_IP) {
> +               xt_xlate_add(xl, "ip ecn ");
> +               if (einfo->invert)
> +                       xt_xlate_add(xl,"!= ");
> +               switch (einfo->ip_ect) {
> +               case 0:
> +                       xt_xlate_add(xl, "not-ect ");
> +                       break;
> +               case 1:
> +                       xt_xlate_add(xl, "ect1 ");
> +                       break;
> +               case 2:
> +                       xt_xlate_add(xl, "ect0 ");
> +                       break;
> +               case 3:
> +                       xt_xlate_add(xl, "ce ");
> +                       break;
> +               }
> +               return 1;
> +       } else
> +               return 0;
> +}

Hi Roberto,

instead of wrapping all the translation composition inside the if(),
just return 0 if the condition is not met.

That's what I meant with the early return thing in my last email.

regards
-- 
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html