diff options
author | Shivani Bhardwaj <shivanib134@gmail.com> | 2016-03-04 03:31:45 +0530 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-03-07 17:52:16 +0100 |
commit | c94a99872414327426718bd56958bb438424fd83 (patch) | |
tree | ad180868a1330d5433aca2d9db4148abc3e3552a /extensions/libxt_dccp.c | |
parent | defc7bd2bac89aab8f12929f264241e4583ec21c (diff) |
extensions: libxt_dccp: Add translation to nft
Add translation for dccp to nftables.
Full translation of this match awaits the support for --dccp-option.
Examples:
$ sudo iptables-translate -A INPUT -p dccp -m dccp --sport 100
nft add rule ip filter INPUT dccp sport 100 counter
$ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100:200
nft add rule ip filter INPUT dccp dport 100-200 counter
$ sudo iptables-translate -A INPUT -p dccp -m dccp ! --dport 100
nft add rule ip filter INPUT dccp dport != 100 counter
$ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100 --dccp-types REQUEST,RESPONSE,DATA,ACK,DATAACK,CLOSEREQ,CLOSE,SYNC,SYNCACK
nft add rule ip filter INPUT dccp dport 100 dccp type {request, response, data, ack, dataack, closereq, close, sync, syncack} counter
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'extensions/libxt_dccp.c')
-rw-r--r-- | extensions/libxt_dccp.c | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/extensions/libxt_dccp.c b/extensions/libxt_dccp.c index a35cabbd..0d4f3692 100644 --- a/extensions/libxt_dccp.c +++ b/extensions/libxt_dccp.c @@ -277,6 +277,97 @@ static void dccp_save(const void *ip, const struct xt_entry_match *match) } } +static const char *const dccp_pkt_types_xlate[] = { + [DCCP_PKT_REQUEST] = "request", + [DCCP_PKT_RESPONSE] = "response", + [DCCP_PKT_DATA] = "data", + [DCCP_PKT_ACK] = "ack", + [DCCP_PKT_DATAACK] = "dataack", + [DCCP_PKT_CLOSEREQ] = "closereq", + [DCCP_PKT_CLOSE] = "close", + [DCCP_PKT_RESET] = "reset", + [DCCP_PKT_SYNC] = "sync", + [DCCP_PKT_SYNCACK] = "syncack", +}; + +static int dccp_type_xlate(const struct xt_dccp_info *einfo, + struct xt_xlate *xl) +{ + bool have_type = false, set_need = false; + uint16_t types = einfo->typemask; + + if (types & (1 << DCCP_PKT_INVALID)) + return 0; + + xt_xlate_add(xl, "dccp type%s ", einfo->invflags ? " !=" : ""); + + if ((types != 0) && !(types == (types & -types))) { + xt_xlate_add(xl, "{"); + set_need = true; + } + + while (types) { + unsigned int i; + + for (i = 0; !(types & (1 << i)); i++); + + if (have_type) + xt_xlate_add(xl, ", "); + else + have_type = true; + + xt_xlate_add(xl, "%s", dccp_pkt_types_xlate[i]); + + types &= ~(1 << i); + } + + if (set_need) + xt_xlate_add(xl, "}"); + + xt_xlate_add(xl, " "); + + return 1; +} + +static int dccp_xlate(const struct xt_entry_match *match, + struct xt_xlate *xl, int numeric) +{ + const struct xt_dccp_info *einfo = + (const struct xt_dccp_info *)match->data; + int ret = 1; + + xt_xlate_add(xl, "dccp "); + + if (einfo->flags & XT_DCCP_SRC_PORTS) { + if (einfo->spts[0] != einfo->spts[1]) + xt_xlate_add(xl, "sport%s %u-%u ", + einfo->invflags & XT_DCCP_SRC_PORTS ? " !=" : "", + einfo->spts[0], einfo->spts[1]); + else + xt_xlate_add(xl, "sport%s %u ", + einfo->invflags & XT_DCCP_SRC_PORTS ? " !=" : "", + einfo->spts[0]); + } + + if (einfo->flags & XT_DCCP_DEST_PORTS) { + if (einfo->dpts[0] != einfo->dpts[1]) + xt_xlate_add(xl, "dport%s %u-%u ", + einfo->invflags & XT_DCCP_DEST_PORTS ? " !=" : "", + einfo->dpts[0], einfo->dpts[1]); + else + xt_xlate_add(xl, "dport%s %u ", + einfo->invflags & XT_DCCP_DEST_PORTS ? " !=" : "", + einfo->dpts[0]); + } + + if (einfo->flags & XT_DCCP_TYPE) + ret = dccp_type_xlate(einfo, xl); + + if (einfo->flags & XT_DCCP_OPTION) + ret = 0; + + return ret; +} static struct xtables_match dccp_match = { .name = "dccp", .family = NFPROTO_UNSPEC, @@ -288,6 +379,7 @@ static struct xtables_match dccp_match = { .save = dccp_save, .x6_parse = dccp_parse, .x6_options = dccp_opts, + .xlate = dccp_xlate, }; void _init(void) |