From 933400b37d0966980d07d32b64403830429761ed Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 11 Apr 2014 12:31:39 +0200 Subject: nft: xtables: add the infrastructure to translate from iptables to nft This patch provides the infrastructure and two new utilities to translate iptables commands to nft, they are: 1) iptables-restore-translate which basically takes a file that contains the ruleset in iptables-restore format and converts it to the nft syntax, eg. % iptables-restore-translate -f ipt-ruleset > nft-ruleset % cat nft-ruleset # Translated by iptables-restore-translate v1.4.21 on Mon Apr 14 12:18:14 2014 add table ip filter add chain ip filter INPUT { type filter hook input priority 0; } add chain ip filter FORWARD { type filter hook forward priority 0; } add chain ip filter OUTPUT { type filter hook output priority 0; } add rule ip filter INPUT iifname lo counter accept # -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix invalid: ... The rules that cannot be translated are left commented. Users should be able to run this to track down the nft progress to see at what point it can fully replace iptables and their filtering policy. 2) iptables-translate which suggests a translation for an iptables command: $ iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT nft add rule filter OUTPUT ip protocol udp ip dst 8.8.8.8 counter accept Signed-off-by: Pablo Neira Ayuso --- include/xtables.h | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'include') diff --git a/include/xtables.h b/include/xtables.h index 978ae0d1..7d97baaf 100644 --- a/include/xtables.h +++ b/include/xtables.h @@ -205,6 +205,8 @@ enum xtables_ext_flags { XTABLES_EXT_ALIAS = 1 << 0, }; +struct xt_buf; + /* Include file for additions: new matches and targets. */ struct xtables_match { @@ -269,6 +271,10 @@ struct xtables_match void (*x6_fcheck)(struct xt_fcheck_call *); const struct xt_option_entry *x6_options; + /* Translate iptables to nft */ + int (*xlate)(const struct xt_entry_match *match, struct xt_buf *buf, + int numeric); + /* Size of per-extension instance extra "global" scratch space */ size_t udata_size; @@ -346,6 +352,10 @@ struct xtables_target void (*x6_fcheck)(struct xt_fcheck_call *); const struct xt_option_entry *x6_options; + /* Translate iptables to nft */ + int (*xlate)(const struct xt_entry_target *target, struct xt_buf *buf, + int numeric); + size_t udata_size; /* Ignore these men behind the curtain: */ @@ -548,6 +558,12 @@ extern void xtables_lmap_free(struct xtables_lmap *); extern int xtables_lmap_name2id(const struct xtables_lmap *, const char *); extern const char *xtables_lmap_id2name(const struct xtables_lmap *, int); +/* generic buffer */ +struct xt_buf *xt_buf_alloc(int size); +void xt_buf_free(struct xt_buf *buf); +void xt_buf_add(struct xt_buf *buf, const char *fmt, ...); +const char *xt_buf_get(struct xt_buf *buf); + #ifdef XTABLES_INTERNAL /* Shipped modules rely on this... */ -- cgit v1.2.3