diff options
| author | Roberto García <rodanber@gmail.com> | 2016-06-29 20:48:09 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-07-01 16:29:11 +0200 |
| commit | ca42442093d3dd97808aeacf6f3abbfbf0beeca6 (patch) | |
| tree | b47c155cc2f6fc84e8dcae7b09473c9f8f4bcf61 /extensions | |
| parent | 6490f0bb953a9a1290fe24453073a452a552e1f5 (diff) | |
iptables: extensions: libxt_ecn: Add translation to nft
Add translation of the ecn match to nftables.
Examples:
# iptables-translate -A INPUT -m ecn --ecn-ip-ect 0
nft add rule ip filter INPUT ip ecn not-ect counter
# iptables-translate -A INPUT -m ecn --ecn-ip-ect 1
nft add rule ip filter INPUT ip ecn ect1 counter
# iptables-translate -A INPUT -m ecn --ecn-ip-ect 2
nft add rule ip filter INPUT ip ecn ect0 counter
# iptables-translate -A INPUT -m ecn --ecn-ip-ect 3
nft add rule ip filter INPUT ip ecn ce counter
# iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 0
nft add rule ip filter INPUT ip ecn != not-ect counter
# iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 1
nft add rule ip filter INPUT ip ecn != ect1 counter
# iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 2
nft add rule ip filter INPUT ip ecn != ect0 counter
# iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 3
nft add rule ip filter INPUT ip ecn != ce counter
Signed-off-by: Roberto García <rodanber@gmail.com>
Reviewed-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'extensions')
| -rw-r--r-- | extensions/libxt_ecn.c | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/extensions/libxt_ecn.c b/extensions/libxt_ecn.c index 286782a3..2856a311 100644 --- a/extensions/libxt_ecn.c +++ b/extensions/libxt_ecn.c @@ -118,6 +118,36 @@ static void ecn_save(const void *ip, const struct xt_entry_match *match) } } +static int ecn_xlate(const void *ip, const struct xt_entry_match *match, + struct xt_xlate *xl, int numeric) +{ + const struct xt_ecn_info *einfo = + (const struct xt_ecn_info *)match->data; + + if (!(einfo->operation & XT_ECN_OP_MATCH_IP)) + return 0; + + xt_xlate_add(xl, "ip ecn "); + if (einfo->invert) + xt_xlate_add(xl,"!= "); + + switch (einfo->ip_ect) { + case 0: + xt_xlate_add(xl, "not-ect "); + break; + case 1: + xt_xlate_add(xl, "ect1 "); + break; + case 2: + xt_xlate_add(xl, "ect0 "); + break; + case 3: + xt_xlate_add(xl, "ce "); + break; + } + return 1; +} + static struct xtables_match ecn_mt_reg = { .name = "ecn", .version = XTABLES_VERSION, @@ -130,6 +160,7 @@ static struct xtables_match ecn_mt_reg = { .x6_parse = ecn_parse, .x6_fcheck = ecn_check, .x6_options = ecn_opts, + .xlate = ecn_xlate, }; void _init(void) |