extensions: libxt_length: Add translation to nft

Add translation for module length to nftables.

Examples:

$ sudo iptables-translate -A INPUT -p icmp -m length --length 86:0xffff -j DROP
nft add rule ip filter INPUT ip protocol icmp meta length 86-65535 counter drop

$ sudo iptables-translate -A INPUT -p udp -m length --length :400
nft add rule ip filter INPUT ip protocol udp meta length 0-400 counter

$ sudo iptables-translate -A INPUT -p udp -m length --length 40
nft add rule ip filter INPUT ip protocol udp meta length 40 counter

$ sudo iptables-translate -A INPUT -p udp -m length ! --length 40
nft add rule ip filter INPUT ip protocol udp meta length != 40 counter

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 16 insertions, 0 deletions

diff --git a/extensions/libxt_length.c b/extensions/libxt_length.c
index 6ea76465..96dab0cf 100644
--- a/extensions/libxt_length.c
+++ b/extensions/libxt_length.c
@@ -56,6 +56,21 @@ static void length_save(const void *ip, const struct xt_entry_match *match)
 		printf("%u:%u", info->min, info->max);
 }
 
+static int length_xlate(const struct xt_entry_match *match,
+			struct xt_buf *buf, int numeric)
+{
+	const struct xt_length_info *info = (void *)match->data;
+
+	xt_buf_add(buf, "meta length %s", info->invert ? "!= " : "");
+	if (info->min == info->max)
+		xt_buf_add(buf, "%u ", info->min);
+	else
+		xt_buf_add(buf, "%u-%u ", info->min, info->max);
+
+	return 1;
+}
+
+
 static struct xtables_match length_match = {
 	.family		= NFPROTO_UNSPEC,
 	.name		= "length",
@@ -67,6 +82,7 @@ static struct xtables_match length_match = {
 	.save		= length_save,
 	.x6_parse	= length_parse,
 	.x6_options	= length_opts,
+	.xlate		= length_xlate,
 };
 
 void _init(void)