diff options
| author | Laura Garcia Liebana <nevola@gmail.com> | 2016-06-08 19:47:28 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-06-14 18:33:51 +0200 |
| commit | bd5bbc7a0fbd8e99348d108d78281b0528bad80a (patch) | |
| tree | 3e0be79487aab2899151c8b8909632ed798d13f0 /extensions | |
| parent | 4bdf0ae602c4f53b05b8fe903981a92f8f2a65b0 (diff) | |
extensions: libip6t_frag: Add translation to nft
Add translation for frag to nftables. According to the --fraglen code:
case O_FRAGLEN:
/*
* As of Linux 3.0, the kernel does not check for
* fraglen at all.
*/
In addition, the kernel code doesn't show any reference to the flag
IP6T_FRAG_LEN, so this option is deprecated and won't be translated to
nft.
Examples:
$ sudo iptables-translate -t filter -A INPUT -m frag --fragid 100:200 -j ACCEPT
nft add rule ip6 filter INPUT frag id 100-200 counter accept
$ sudo iptables-translate -t filter -A INPUT -m frag --fragid 100 --fragres --fragmore -j ACCEPT
nft add rule ip6 filter INPUT frag id 100 frag reserved 1 frag more-fragments 1 counter accept
$ sudo iptables-translate -t filter -A INPUT -m frag ! --fragid 100:200 -j ACCEPT
nft add rule ip6 filter INPUT frag id != 100-200 counter accept
$ sudo iptables-translate -t filter -A INPUT -m frag --fragid 100:200 --fraglast -j ACCEPT
nft add rule ip6 filter INPUT frag id 100-200 frag more-fragments 0 counter accept
$ sudo iptables-translate -t filter -A INPUT -m frag --fragid 100:200 --fragfirst -j ACCEPT
nft add rule ip6 filter INPUT frag id 100-200 frag frag-off 0 counter accept
$ sudo iptables-translate -t filter -A INPUT -m frag --fraglast -j ACCEPT
nft add rule ip6 filter INPUT frag more-fragments 0 counter accept
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'extensions')
| -rw-r--r-- | extensions/libip6t_frag.c | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/extensions/libip6t_frag.c b/extensions/libip6t_frag.c index 023df627..57487c43 100644 --- a/extensions/libip6t_frag.c +++ b/extensions/libip6t_frag.c @@ -173,6 +173,37 @@ static void frag_save(const void *ip, const struct xt_entry_match *match) printf(" --fraglast"); } +static int frag_xlate(const void *ip, const struct xt_entry_match *match, + struct xt_xlate *xl, int numeric) +{ + const struct ip6t_frag *fraginfo = (struct ip6t_frag *)match->data; + + if (!(fraginfo->ids[0] == 0 && fraginfo->ids[1] == 0xFFFFFFFF)) { + xt_xlate_add(xl, "frag id %s", + (fraginfo->invflags & IP6T_FRAG_INV_IDS) ? + "!= " : ""); + if (fraginfo->ids[0] != fraginfo->ids[1]) + xt_xlate_add(xl, "%u-%u ", fraginfo->ids[0], + fraginfo->ids[1]); + else + xt_xlate_add(xl, "%u ", fraginfo->ids[0]); + } + + if (fraginfo->flags & IP6T_FRAG_RES) + xt_xlate_add(xl, "frag reserved 1 "); + + if (fraginfo->flags & IP6T_FRAG_FST) + xt_xlate_add(xl, "frag frag-off 0 "); + + if (fraginfo->flags & IP6T_FRAG_MF) + xt_xlate_add(xl, "frag more-fragments 1 "); + + if (fraginfo->flags & IP6T_FRAG_NMF) + xt_xlate_add(xl, "frag more-fragments 0 "); + + return 1; +} + static struct xtables_match frag_mt6_reg = { .name = "frag", .version = XTABLES_VERSION, @@ -185,6 +216,7 @@ static struct xtables_match frag_mt6_reg = { .save = frag_save, .x6_parse = frag_parse, .x6_options = frag_opts, + .xlate = frag_xlate, }; void |