diff options
| author | Shivani Bhardwaj <shivanib134@gmail.com> | 2015-12-27 10:12:48 +0530 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-02-16 19:30:23 +0100 |
| commit | 74023112b6b31e056bf21625f15b60238bbe28a0 (patch) | |
| tree | 2ee46f15bb1a9b6cb4baf9736522f878e6a534bf | |
| parent | c97632a504ba8869ec2c85336b896b596907a9a4 (diff) | |
extensions: libipt_REJECT: Add translation to nft
Add translation for target REJECT to nftables.
Examples:
$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip filter FORWARD tcp dport 22 counter reject with icmp type port-unreachable
$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with icmp-net-unreachable
nft add rule ip filter FORWARD tcp dport 22 counter reject with icmp type net-unreachable
$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset
nft add rule ip filter FORWARD tcp dport 22 counter reject with tcp reset
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | extensions/libipt_REJECT.c | 47 |
1 files changed, 45 insertions, 2 deletions
diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c index 362c65ed..dd4ac629 100644 --- a/extensions/libipt_REJECT.c +++ b/extensions/libipt_REJECT.c @@ -24,6 +24,11 @@ struct reject_names { const char *desc; }; +struct reject_names_xlate { + const char *name; + enum ipt_reject_with with; +}; + enum { O_REJECT_WITH = 0, }; @@ -129,8 +134,8 @@ static void REJECT_print(const void *ip, const struct xt_entry_target *target, static void REJECT_save(const void *ip, const struct xt_entry_target *target) { - const struct ipt_reject_info *reject - = (const struct ipt_reject_info *)target->data; + const struct ipt_reject_info *reject = + (const struct ipt_reject_info *)target->data; unsigned int i; for (i = 0; i < ARRAY_SIZE(reject_table); ++i) @@ -140,6 +145,43 @@ static void REJECT_save(const void *ip, const struct xt_entry_target *target) printf(" --reject-with %s", reject_table[i].name); } +static const struct reject_names_xlate reject_table_xlate[] = { + {"net-unreachable", IPT_ICMP_NET_UNREACHABLE}, + {"host-unreachable", IPT_ICMP_HOST_UNREACHABLE}, + {"prot-unreachable", IPT_ICMP_PROT_UNREACHABLE}, + {"port-unreachable", IPT_ICMP_PORT_UNREACHABLE}, +#if 0 + {"echo-reply", IPT_ICMP_ECHOREPLY}, +#endif + {"net-prohibited", IPT_ICMP_NET_PROHIBITED}, + {"host-prohibited", IPT_ICMP_HOST_PROHIBITED}, + {"tcp reset", IPT_TCP_RESET}, + {"admin-prohibited", IPT_ICMP_ADMIN_PROHIBITED} +}; + +static int REJECT_xlate(const struct xt_entry_target *target, + struct xt_buf *buf, int numeric) +{ + const struct ipt_reject_info *reject = + (const struct ipt_reject_info *)target->data; + unsigned int i; + + for (i = 0; i < ARRAY_SIZE(reject_table_xlate); ++i) { + if (reject_table_xlate[i].with == reject->with) + break; + } + + if (reject->with == IPT_TCP_RESET) + xt_buf_add(buf, "reject with %s", + reject_table_xlate[i].name); + else + xt_buf_add(buf, "reject with icmp type %s", + reject_table_xlate[i].name); + + return 1; +} + + static struct xtables_target reject_tg_reg = { .name = "REJECT", .version = XTABLES_VERSION, @@ -152,6 +194,7 @@ static struct xtables_target reject_tg_reg = { .save = REJECT_save, .x6_parse = REJECT_parse, .x6_options = REJECT_opts, + .xlate = REJECT_xlate, }; void _init(void) |