Re: [PATCH] iptables: extensions: libxt_ecn: Add translation to nft

Roberto García <rodanber@xxxxxxxxx> · Thu, 30 Jun 2016 00:15:14 +0200



Reviewed-by: Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx>

2016-06-29 20:48 GMT+02:00 <rodanber@xxxxxxxxx>:
>
> From: Roberto García <rodanber@xxxxxxxxx>
>
> Add translation of the ecn match to nftables.
>
> Examples:
>   # iptables-translate -A INPUT -m ecn --ecn-ip-ect 0
>   nft add rule ip filter INPUT ip ecn not-ect counter
>
>   # iptables-translate -A INPUT -m ecn --ecn-ip-ect 1
>   nft add rule ip filter INPUT ip ecn ect1 counter
>
>   # iptables-translate -A INPUT -m ecn --ecn-ip-ect 2
>   nft add rule ip filter INPUT ip ecn ect0 counter
>
>   # iptables-translate -A INPUT -m ecn --ecn-ip-ect 3
>   nft add rule ip filter INPUT ip ecn ce counter
>
>   # iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 0
>   nft add rule ip filter INPUT ip ecn != not-ect counter
>
>   # iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 1
>   nft add rule ip filter INPUT ip ecn != ect1 counter
>
>   # iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 2
>   nft add rule ip filter INPUT ip ecn != ect0 counter
>
>   # iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 3
>   nft add rule ip filter INPUT ip ecn != ce counter
>
> Signed-off-by: Roberto García <rodanber@xxxxxxxxx>
> ---
>  extensions/libxt_ecn.c | 31 +++++++++++++++++++++++++++++++
>  1 file changed, 31 insertions(+)
>
> diff --git a/extensions/libxt_ecn.c b/extensions/libxt_ecn.c
> index 286782a..2856a31 100644
> --- a/extensions/libxt_ecn.c
> +++ b/extensions/libxt_ecn.c
> @@ -118,6 +118,36 @@ static void ecn_save(const void *ip, const struct xt_entry_match *match)
>         }
>  }
>
> +static int ecn_xlate(const void *ip, const struct xt_entry_match *match,
> +                    struct xt_xlate *xl, int numeric)
> +{
> +       const struct xt_ecn_info *einfo =
> +               (const struct xt_ecn_info *)match->data;
> +
> +       if (!(einfo->operation & XT_ECN_OP_MATCH_IP))
> +               return 0;
> +
> +       xt_xlate_add(xl, "ip ecn ");
> +       if (einfo->invert)
> +               xt_xlate_add(xl,"!= ");
> +
> +       switch (einfo->ip_ect) {
> +       case 0:
> +               xt_xlate_add(xl, "not-ect ");
> +               break;
> +       case 1:
> +               xt_xlate_add(xl, "ect1 ");
> +               break;
> +       case 2:
> +               xt_xlate_add(xl, "ect0 ");
> +               break;
> +       case 3:
> +               xt_xlate_add(xl, "ce ");
> +               break;
> +       }
> +       return 1;
> +}
> +
>  static struct xtables_match ecn_mt_reg = {
>         .name          = "ecn",
>         .version       = XTABLES_VERSION,
> @@ -130,6 +160,7 @@ static struct xtables_match ecn_mt_reg = {
>         .x6_parse      = ecn_parse,
>         .x6_fcheck     = ecn_check,
>         .x6_options    = ecn_opts,
> +       .xlate         = ecn_xlate,
>  };
>
>  void _init(void)
> --
> 2.8.0
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html