[PATCH xtables-nft] extensions: xt_socket: add txlate support for sk match v3

Florian Westphal <fw@xxxxxxxxx> · Wed, 6 Mar 2024 09:58:49 +0100

Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 extensions/libxt_socket.c      | 24 ++++++++++++++++++++++++
 extensions/libxt_socket.txlate | 11 +++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 extensions/libxt_socket.txlate

diff --git a/extensions/libxt_socket.c b/extensions/libxt_socket.c
index a99135cdfa0a..387e10ea0dea 100644
--- a/extensions/libxt_socket.c
+++ b/extensions/libxt_socket.c
@@ -159,6 +159,27 @@ socket_mt_print_v3(const void *ip, const struct xt_entry_match *match,
 	socket_mt_save_v3(ip, match);
 }
 
+static int socket_mt_xlate(struct xt_xlate *xl, const struct xt_xlate_mt_params *params)
+{
+	const struct xt_socket_mtinfo3 *info = (const void *)params->match->data;
+	const char *space = "";
+
+	if (info->flags & XT_SOCKET_TRANSPARENT) {
+		xt_xlate_add(xl, "socket transparent 1");
+		space = " ";
+	}
+
+	if (info->flags & XT_SOCKET_NOWILDCARD) {
+		xt_xlate_add(xl, "%ssocket wildcard 0", space);
+		space = " ";
+	}
+
+	if (info->flags & XT_SOCKET_RESTORESKMARK)
+		xt_xlate_add(xl, "%smeta mark set socket mark", space);
+
+	return 1;
+}
+
 static struct xtables_match socket_mt_reg[] = {
 	{
 		.name          = "socket",
@@ -180,6 +201,7 @@ static struct xtables_match socket_mt_reg[] = {
 		.save          = socket_mt_save,
 		.x6_parse      = socket_mt_parse,
 		.x6_options    = socket_mt_opts,
+		.xlate	       = socket_mt_xlate,
 	},
 	{
 		.name          = "socket",
@@ -193,6 +215,7 @@ static struct xtables_match socket_mt_reg[] = {
 		.save          = socket_mt_save_v2,
 		.x6_parse      = socket_mt_parse_v2,
 		.x6_options    = socket_mt_opts_v2,
+		.xlate	       = socket_mt_xlate,
 	},
 	{
 		.name          = "socket",
@@ -206,6 +229,7 @@ static struct xtables_match socket_mt_reg[] = {
 		.save          = socket_mt_save_v3,
 		.x6_parse      = socket_mt_parse_v3,
 		.x6_options    = socket_mt_opts_v3,
+		.xlate	       = socket_mt_xlate,
 	},
 };
 
diff --git a/extensions/libxt_socket.txlate b/extensions/libxt_socket.txlate
new file mode 100644
index 000000000000..1fe73f9b510d
--- /dev/null
+++ b/extensions/libxt_socket.txlate
@@ -0,0 +1,11 @@
+iptables-translate -A INPUT -m socket --transparent
+nft 'add rule ip filter INPUT socket transparent 1 counter'
+
+iptables-translate -A INPUT -m socket --nowildcard
+nft 'add rule ip filter INPUT socket wildcard 0 counter'
+
+iptables-translate -A INPUT -m socket --restore-skmark
+nft 'add rule ip filter INPUT meta mark set socket mark counter'
+
+iptables-translate -A INPUT -m socket --transparent --nowildcard --restore-skmark
+nft 'add rule ip filter INPUT socket transparent 1 socket wildcard 0 meta mark set socket mark counter'
-- 
2.44.0








