diff options
author | Shivani Bhardwaj <shivanib134@gmail.com> | 2015-12-31 22:55:28 +0530 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-02-16 19:30:24 +0100 |
commit | b74a255a1e408dfe3590a1a45b0ba5e57e840971 (patch) | |
tree | 2b66e13337813ee3a0e3c677e575b65c02f3acd4 | |
parent | 95a7a9df945790f92237e4d2e91f3d372d6a2ad5 (diff) |
extensions: libip6t_ah: Add translation to nft
Add translation for AH to nftables.
Examples:
$ sudo ip6tables-translate -A INPUT -m ah --ahspi 500 -j DROP
nft add rule ip6 filter INPUT ah spi 500 counter drop
$ sudo ip6tables-translate -A INPUT -m ah --ahspi 500:550 -j DROP
nft add rule ip6 filter INPUT ah spi 500-550 counter drop
$ sudo ip6tables-translate -A INPUT -m ah ! --ahlen 120
nft add rule ip6 filter INPUT ah hdrlength != 120 counter
$ sudo ip6tables-translate -A INPUT -m ah --ahres
nft add rule ip6 filter INPUT ah reserved 1 counter
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | extensions/libip6t_ah.c | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/extensions/libip6t_ah.c b/extensions/libip6t_ah.c index 174d6d1d..f7c30f46 100644 --- a/extensions/libip6t_ah.c +++ b/extensions/libip6t_ah.c @@ -128,6 +128,32 @@ static void ah_save(const void *ip, const struct xt_entry_match *match) printf(" --ahres"); } +static int ah_xlate(const struct xt_entry_match *match, + struct xt_buf *buf, int numeric) +{ + const struct ip6t_ah *ahinfo = (struct ip6t_ah *)match->data; + + if (!(ahinfo->spis[0] == 0 && ahinfo->spis[1] == 0xFFFFFFFF)) { + xt_buf_add(buf, "ah spi%s ", + (ahinfo->invflags & IP6T_AH_INV_SPI) ? " !=" : ""); + if (ahinfo->spis[0] != ahinfo->spis[1]) + xt_buf_add(buf, "%u-%u ", ahinfo->spis[0], ahinfo->spis[1]); + else + xt_buf_add(buf, "%u ", ahinfo->spis[0]); + } + + if (ahinfo->hdrlen != 0 || (ahinfo->invflags & IP6T_AH_INV_LEN)) { + xt_buf_add(buf, "ah hdrlength%s %u ", + (ahinfo->invflags & IP6T_AH_INV_LEN) ? " !=" : "", + ahinfo->hdrlen); + } + + if (ahinfo->hdrres != 0) + xt_buf_add(buf, "ah reserved %u ", ahinfo->hdrres); + + return 1; +} + static struct xtables_match ah_mt6_reg = { .name = "ah", .version = XTABLES_VERSION, @@ -140,6 +166,7 @@ static struct xtables_match ah_mt6_reg = { .save = ah_save, .x6_parse = ah_parse, .x6_options = ah_opts, + .xlate = ah_xlate, }; void |