diff options
| author | Florian Westphal <fw@strlen.de> | 2018-02-18 09:49:16 +0100 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2018-02-26 00:03:54 +0100 |
| commit | 147a891f8ca48f1f0c932ac304810d68780c90c2 (patch) | |
| tree | e1fa45e6e7db6a3f23a8f6033659717df6c271f3 /extensions | |
| parent | ed928a8302aa7a531987ff8120950c44bfcab700 (diff) | |
extenstions: ecn: add tcp ecn/cwr translation
nft can match tcp flags, so add ece/cwr translation.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'extensions')
| -rw-r--r-- | extensions/libxt_ecn.c | 49 | ||||
| -rw-r--r-- | extensions/libxt_ecn.txlate | 6 |
2 files changed, 37 insertions, 18 deletions
diff --git a/extensions/libxt_ecn.c b/extensions/libxt_ecn.c index aeba01b3..ad3c7a03 100644 --- a/extensions/libxt_ecn.c +++ b/extensions/libxt_ecn.c @@ -124,26 +124,39 @@ static int ecn_xlate(struct xt_xlate *xl, const struct xt_ecn_info *einfo = (const struct xt_ecn_info *)params->match->data; - if (!(einfo->operation & XT_ECN_OP_MATCH_IP)) - return 0; + if (einfo->operation & XT_ECN_OP_MATCH_ECE) { + xt_xlate_add(xl, "tcp flags "); + if (einfo->invert) + xt_xlate_add(xl,"!= "); + xt_xlate_add(xl, "ecn"); + } - xt_xlate_add(xl, "ip ecn "); - if (einfo->invert) - xt_xlate_add(xl,"!= "); + if (einfo->operation & XT_ECN_OP_MATCH_CWR) { + xt_xlate_add(xl, "tcp flags "); + if (einfo->invert) + xt_xlate_add(xl,"!= "); + xt_xlate_add(xl, "cwr"); + } - switch (einfo->ip_ect) { - case 0: - xt_xlate_add(xl, "not-ect"); - break; - case 1: - xt_xlate_add(xl, "ect1"); - break; - case 2: - xt_xlate_add(xl, "ect0"); - break; - case 3: - xt_xlate_add(xl, "ce"); - break; + if (einfo->operation & XT_ECN_OP_MATCH_IP) { + xt_xlate_add(xl, "ip ecn "); + if (einfo->invert) + xt_xlate_add(xl,"!= "); + + switch (einfo->ip_ect) { + case 0: + xt_xlate_add(xl, "not-ect"); + break; + case 1: + xt_xlate_add(xl, "ect1"); + break; + case 2: + xt_xlate_add(xl, "ect0"); + break; + case 3: + xt_xlate_add(xl, "ce"); + break; + } } return 1; } diff --git a/extensions/libxt_ecn.txlate b/extensions/libxt_ecn.txlate index 9e3bd310..f012f128 100644 --- a/extensions/libxt_ecn.txlate +++ b/extensions/libxt_ecn.txlate @@ -21,3 +21,9 @@ nft add rule ip filter INPUT ip ecn != ect0 counter iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 3 nft add rule ip filter INPUT ip ecn != ce counter + +iptables-translate -A INPUT -m ecn ! --ecn-tcp-ece +nft add rule ip filter INPUT tcp flags != ecn counter + +iptables-translate -A INPUT -m ecn --ecn-tcp-cwr +nft add rule ip filter INPUT tcp flags cwr counter |