[PATCH iptables 5/8] extensions: libxt_ipcomp: add range support in translation

[Liping Zhang <zlpnobody@xxxxxxx>]

From: Liping Zhang <liping.zhang@xxxxxxxxxxxxxx>

When translate to nft rules, ipcompspi range is not supported, so:
  # iptables-translate -A OUTPUT -m ipcomp --ipcompspi 1:2
  nft add rule ip filter OUTPUT comp cpi 1 counter

  # iptables-translate -A OUTPUT -m ipcomp ! --ipcompspi 3:30
  nft add rule ip filter OUTPUT comp cpi != 3 counter

Apply this patch:
  # iptables-translate -A OUTPUT -m ipcomp --ipcompspi 1:2
  nft add rule ip filter OUTPUT comp cpi 1-2 counter

  # iptables-translate -A OUTPUT -m ipcomp ! --ipcompspi 3:30
  nft add rule ip filter OUTPUT comp cpi != 3-30 counter

Signed-off-by: Liping Zhang <liping.zhang@xxxxxxxxxxxxxx>
---
 extensions/libxt_ipcomp.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/extensions/libxt_ipcomp.c b/extensions/libxt_ipcomp.c
index 9f7c0ef..b5c4312 100644
--- a/extensions/libxt_ipcomp.c
+++ b/extensions/libxt_ipcomp.c
@@ -101,9 +101,13 @@ static int comp_xlate(struct xt_xlate *xl,
 	const struct xt_ipcomp *compinfo =
 		(struct xt_ipcomp *)params->match->data;
 
-	xt_xlate_add(xl, "comp cpi %s%u",
-		     (compinfo->invflags & XT_IPCOMP_INV_SPI) ? "!= " : "",
-		     compinfo->spis[0]);
+	xt_xlate_add(xl, "comp cpi %s",
+		     compinfo->invflags & XT_IPCOMP_INV_SPI ? "!= " : "");
+	if (compinfo->spis[0] != compinfo->spis[1])
+		xt_xlate_add(xl, "%u-%u", compinfo->spis[0],
+			     compinfo->spis[1]);
+	else
+		xt_xlate_add(xl, "%u", compinfo->spis[0]);
 
 	return 1;
 }
-- 
2.5.5


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html