[PATCH iptables] extenstions: ecn: add tcp ecn/cwr translation

Florian Westphal <fw@xxxxxxxxx> · Sun, 18 Feb 2018 10:24:47 +0100

nft can match tcp flags, so add ece/cwr translation.

Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 extensions/libxt_ecn.c      | 50 +++++++++++++++++++++++++++++----------------
 extensions/libxt_ecn.txlate |  6 ++++++
 2 files changed, 38 insertions(+), 18 deletions(-)

diff --git a/extensions/libxt_ecn.c b/extensions/libxt_ecn.c
index aeba01b348a1..a6378b0e4586 100644
--- a/extensions/libxt_ecn.c
+++ b/extensions/libxt_ecn.c
@@ -124,27 +124,41 @@ static int ecn_xlate(struct xt_xlate *xl,
 	const struct xt_ecn_info *einfo =
 		(const struct xt_ecn_info *)params->match->data;
 
-	if (!(einfo->operation & XT_ECN_OP_MATCH_IP))
-		return 0;
+	if (einfo->operation & XT_ECN_OP_MATCH_ECE) {
+		xt_xlate_add(xl, "tcp flags ");
+		if (einfo->invert)
+			xt_xlate_add(xl,"!= ");
+		xt_xlate_add(xl, "ecn");
+	}
 
-	xt_xlate_add(xl, "ip ecn ");
-	if (einfo->invert)
-		xt_xlate_add(xl,"!= ");
+	if (einfo->operation & XT_ECN_OP_MATCH_CWR) {
+		xt_xlate_add(xl, "tcp flags ");
+		if (einfo->invert)
+			xt_xlate_add(xl,"!= ");
+		xt_xlate_add(xl, "cwr");
+	}
 
-	switch (einfo->ip_ect) {
-	case 0:
-		xt_xlate_add(xl, "not-ect");
-		break;
-	case 1:
-		xt_xlate_add(xl, "ect1");
-		break;
-	case 2:
-		xt_xlate_add(xl, "ect0");
-		break;
-	case 3:
-		xt_xlate_add(xl, "ce");
-		break;
+	if (einfo->operation & XT_ECN_OP_MATCH_IP) {
+		xt_xlate_add(xl, "ip ecn ");
+		if (einfo->invert)
+			xt_xlate_add(xl,"!= ");
+
+		switch (einfo->ip_ect) {
+		case 0:
+			xt_xlate_add(xl, "not-ect");
+			break;
+		case 1:
+			xt_xlate_add(xl, "ect1");
+			break;
+		case 2:
+			xt_xlate_add(xl, "ect0");
+			break;
+		case 3:
+			xt_xlate_add(xl, "ce");
+			break;
+		}
 	}
+
 	return 1;
 }
 
diff --git a/extensions/libxt_ecn.txlate b/extensions/libxt_ecn.txlate
index 9e3bd3109093..f012f1282a21 100644
--- a/extensions/libxt_ecn.txlate
+++ b/extensions/libxt_ecn.txlate
@@ -21,3 +21,9 @@ nft add rule ip filter INPUT ip ecn != ect0 counter
 
 iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 3
 nft add rule ip filter INPUT ip ecn != ce counter
+
+iptables-translate -A INPUT -m ecn ! --ecn-tcp-ece
+nft add rule ip filter INPUT tcp flags != ecn counter
+
+iptables-translate -A INPUT -m ecn --ecn-tcp-cwr
+nft add rule ip filter INPUT tcp flags cwr counter
-- 
2.16.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






