diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-07-12 22:04:17 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-07-13 11:54:21 +0200 |
commit | b65a70131d0d38844be12235270eebaa9d2f5a4d (patch) | |
tree | cf3d687dba6d9a581e98e00f95ee4a692d019a0c /include/statement.h | |
parent | b553eefe5ef1ac538fdf051df51481d19c9fbf4e (diff) |
src: add xt compat support
At compilation time, you have to pass this option.
# ./configure --with-xtables
And libxtables needs to be installed in your system.
This patch allows to list a ruleset containing xt extensions loaded
through iptables-compat-restore tool.
Example:
$ iptables-save > ruleset
$ cat ruleset
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m multiport --dports 80,81 -j REJECT
COMMIT
$ sudo iptables-compat-restore ruleset
$ sudo nft list rulseset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
ip protocol tcp tcp dport { 80,81} counter packets 0 bytes 0 reject
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
A translation of the extension is shown if this is available. In other
case, match or target definition is preceded by a hash. For example,
classify target has not translation:
$ sudo nft list chain mangle POSTROUTING
table ip mangle {
chain POSTROUTING {
type filter hook postrouting priority -150; policy accept;
ip protocol tcp tcp dport 80 counter packets 0 bytes 0 # CLASSIFY set 20:10
^^^
}
}
If the whole ruleset is translatable, the users can (re)load it using
"nft -f" and get nft native support for all their rules.
This patch is joint work by the authors listed below.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/statement.h')
-rw-r--r-- | include/statement.h | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/include/statement.h b/include/statement.h index e9313ca7..1b215517 100644 --- a/include/statement.h +++ b/include/statement.h @@ -148,6 +148,37 @@ struct flow_stmt { extern struct stmt *flow_stmt_alloc(const struct location *loc); /** + * enum nft_xt_type - xtables statement types + * + * @NFT_XT_MATCH: match + * @NFT_XT_TARGET: target + * @NFT_XT_WATCHER: watcher (only for the bridge family) + */ +enum nft_xt_type { + NFT_XT_MATCH = 0, + NFT_XT_TARGET, + NFT_XT_WATCHER, + NFT_XT_MAX +}; + +struct xtables_match; +struct xtables_target; + +struct xt_stmt { + const char *name; + enum nft_xt_type type; + uint32_t proto; + union { + struct xtables_match *match; + struct xtables_target *target; + }; + const char *opts; + void *entry; +}; + +extern struct stmt *xt_stmt_alloc(const struct location *loc); + +/** * enum stmt_types - statement types * * @STMT_INVALID: uninitialised @@ -168,6 +199,7 @@ extern struct stmt *flow_stmt_alloc(const struct location *loc); * @STMT_SET: set statement * @STMT_DUP: dup statement * @STMT_FWD: forward statement + * @STMT_XT: XT statement */ enum stmt_types { STMT_INVALID, @@ -188,6 +220,7 @@ enum stmt_types { STMT_SET, STMT_DUP, STMT_FWD, + STMT_XT, }; /** @@ -243,6 +276,7 @@ struct stmt { struct set_stmt set; struct dup_stmt dup; struct fwd_stmt fwd; + struct xt_stmt xt; }; }; |