summaryrefslogtreecommitdiffstats
path: root/extensions
diff options
context:
space:
mode:
authorShivani Bhardwaj <shivanib134@gmail.com>2015-12-20 23:43:21 +0530
committerPablo Neira Ayuso <pablo@netfilter.org>2016-02-16 19:30:22 +0100
commit6cfa723a83d45fac52646413caba59e1233c6bae (patch)
treed9bbe3ccb2d9e51aef86b705a9b79ff510af93a5 /extensions
parent6a0c31d7ff012696b47b7b9d80b211b3d573012f (diff)
extensions: libxt_esp: Add translation to nft
Add translation for ESP Protocol to nftables. Examples: $ sudo iptables-translate -A FORWARD -p esp -j ACCEPT nft add rule ip filter FORWARD ip protocol esp counter accept $ sudo iptables-translate -A INPUT --in-interface wan --protocol esp -j ACCEPT nft add rule ip filter INPUT iifname wan ip protocol esp counter accept $ sudo iptables-translate -A INPUT -p 50 -m esp --espspi 500 -j DROP nft add rule ip filter INPUT esp spi 500 counter drop $ sudo iptables-translate -A INPUT -p 50 -m esp --espspi 500:600 -j DROP nft add rule ip filter INPUT esp spi 500-600 counter drop Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'extensions')
-rw-r--r--extensions/libxt_esp.c23
1 files changed, 21 insertions, 2 deletions
diff --git a/extensions/libxt_esp.c b/extensions/libxt_esp.c
index 773d6af8..e04daf82 100644
--- a/extensions/libxt_esp.c
+++ b/extensions/libxt_esp.c
@@ -86,10 +86,28 @@ static void esp_save(const void *ip, const struct xt_entry_match *match)
}
+static int esp_xlate(const struct xt_entry_match *match,
+ struct xt_buf *buf, int numeric)
+{
+ const struct xt_esp *espinfo = (struct xt_esp *)match->data;
+
+ if (!(espinfo->spis[0] == 0 && espinfo->spis[1] == 0xFFFFFFFF)) {
+ xt_buf_add(buf, "esp spi%s",
+ (espinfo->invflags & XT_ESP_INV_SPI) ? " !=" : "");
+ if (espinfo->spis[0] != espinfo->spis[1])
+ xt_buf_add(buf, " %u-%u ", espinfo->spis[0],
+ espinfo->spis[1]);
+ else
+ xt_buf_add(buf, " %u ", espinfo->spis[0]);
+ }
+
+ return 1;
+}
+
static struct xtables_match esp_match = {
.family = NFPROTO_UNSPEC,
- .name = "esp",
- .version = XTABLES_VERSION,
+ .name = "esp",
+ .version = XTABLES_VERSION,
.size = XT_ALIGN(sizeof(struct xt_esp)),
.userspacesize = XT_ALIGN(sizeof(struct xt_esp)),
.help = esp_help,
@@ -98,6 +116,7 @@ static struct xtables_match esp_match = {
.save = esp_save,
.x6_parse = esp_parse,
.x6_options = esp_opts,
+ .xlate = esp_xlate,
};
void