From fb2593ebbf656fcfd8359b7cbbc18be655046b8b Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 11 Apr 2014 17:58:53 +0200 Subject: extensions: libxt_tcp: add translation to nft Translation for the TCP option matching is not yet implemented as we don't have a way to match this yet. Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_tcp.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) (limited to 'extensions/libxt_tcp.c') diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c index bbdec454..2a454ea2 100644 --- a/extensions/libxt_tcp.c +++ b/extensions/libxt_tcp.c @@ -362,6 +362,86 @@ static void tcp_save(const void *ip, const struct xt_entry_match *match) } } +static const struct tcp_flag_names tcp_flag_names_xlate[] = { + { "fin", 0x01 }, + { "syn", 0x02 }, + { "rst", 0x04 }, + { "psh", 0x08 }, + { "ack", 0x10 }, + { "urg", 0x20 }, +}; + +static void print_tcp_xlate(struct xt_buf *buf, uint8_t flags) +{ + int have_flag = 0; + + while (flags) { + unsigned int i; + + for (i = 0; (flags & tcp_flag_names_xlate[i].flag) == 0; i++); + + if (have_flag) + xt_buf_add(buf, "|"); + + xt_buf_add(buf, "%s", tcp_flag_names_xlate[i].name); + have_flag = 1; + + flags &= ~tcp_flag_names_xlate[i].flag; + } + + if (!have_flag) + xt_buf_add(buf, "none"); +} + +static int tcp_xlate(const struct xt_entry_match *match, struct xt_buf *buf, + int numeric) +{ + const struct xt_tcp *tcpinfo = (const struct xt_tcp *)match->data; + + if (tcpinfo->spts[0] != 0 || tcpinfo->spts[1] != 0xffff) { + if (tcpinfo->spts[0] != tcpinfo->spts[1]) { + xt_buf_add(buf, "tcp sport %s%u-%u ", + tcpinfo->invflags & XT_TCP_INV_SRCPT ? + "!= " : "", + tcpinfo->spts[0], tcpinfo->spts[1]); + } else { + xt_buf_add(buf, "tcp sport %s%u ", + tcpinfo->invflags & XT_TCP_INV_SRCPT ? + "!= " : "", + tcpinfo->spts[0]); + } + } + + if (tcpinfo->dpts[0] != 0 || tcpinfo->dpts[1] != 0xffff) { + if (tcpinfo->dpts[0] != tcpinfo->dpts[1]) { + xt_buf_add(buf, "tcp dport %s%u-%u ", + tcpinfo->invflags & XT_TCP_INV_DSTPT ? + "!= " : "", + tcpinfo->dpts[0], tcpinfo->dpts[1]); + } else { + xt_buf_add(buf, "tcp dport %s%u ", + tcpinfo->invflags & XT_TCP_INV_DSTPT ? + "!= " : "", + tcpinfo->dpts[0]); + } + } + + /* XXX not yet implemented */ + if (tcpinfo->option || (tcpinfo->invflags & XT_TCP_INV_OPTION)) + return 0; + + if (tcpinfo->flg_mask || (tcpinfo->invflags & XT_TCP_INV_FLAGS)) { + xt_buf_add(buf, "tcp flags & "); + print_tcp_xlate(buf, tcpinfo->flg_mask); + xt_buf_add(buf, " %s ", + tcpinfo->invflags & XT_TCP_INV_FLAGS ? "!=": "=="); + print_tcp_xlate(buf, tcpinfo->flg_cmp); + xt_buf_add(buf, " "); + } + + return 1; +} + static struct xtables_match tcp_match = { .family = NFPROTO_UNSPEC, .name = "tcp", @@ -374,6 +454,7 @@ static struct xtables_match tcp_match = { .print = tcp_print, .save = tcp_save, .extra_opts = tcp_opts, + .xlate = tcp_xlate, }; void -- cgit v1.2.3