summaryrefslogtreecommitdiffstats
path: root/libxtables
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2014-04-11 12:31:39 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2016-02-16 19:30:21 +0100
commit933400b37d0966980d07d32b64403830429761ed (patch)
treea2540049b9e8c1d679bc2d8a096f0ffc629b9d36 /libxtables
parentd13b60c9ddb48e651b92f13579e236c530658176 (diff)
nft: xtables: add the infrastructure to translate from iptables to nft
This patch provides the infrastructure and two new utilities to translate iptables commands to nft, they are: 1) iptables-restore-translate which basically takes a file that contains the ruleset in iptables-restore format and converts it to the nft syntax, eg. % iptables-restore-translate -f ipt-ruleset > nft-ruleset % cat nft-ruleset # Translated by iptables-restore-translate v1.4.21 on Mon Apr 14 12:18:14 2014 add table ip filter add chain ip filter INPUT { type filter hook input priority 0; } add chain ip filter FORWARD { type filter hook forward priority 0; } add chain ip filter OUTPUT { type filter hook output priority 0; } add rule ip filter INPUT iifname lo counter accept # -t filter -A INPUT -m state --state INVALID -j LOG --log-prefix invalid: ... The rules that cannot be translated are left commented. Users should be able to run this to track down the nft progress to see at what point it can fully replace iptables and their filtering policy. 2) iptables-translate which suggests a translation for an iptables command: $ iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT nft add rule filter OUTPUT ip protocol udp ip dst 8.8.8.8 counter accept Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'libxtables')
-rw-r--r--libxtables/xtables.c51
1 files changed, 51 insertions, 0 deletions
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index f14d503c..fa979f23 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -1986,3 +1986,54 @@ void get_kernel_version(void)
sscanf(uts.release, "%d.%d.%d", &x, &y, &z);
kernel_version = LINUX_VERSION(x, y, z);
}
+
+struct xt_buf {
+ char *data;
+ int size;
+ int rem;
+ int off;
+};
+
+struct xt_buf *xt_buf_alloc(int size)
+{
+ struct xt_buf *buf;
+
+ buf = malloc(sizeof(struct xt_buf));
+ if (buf == NULL)
+ xtables_error(RESOURCE_PROBLEM, "OOM");
+
+ buf->data = malloc(size);
+ if (buf->data == NULL)
+ xtables_error(RESOURCE_PROBLEM, "OOM");
+
+ buf->size = size;
+ buf->rem = size;
+ buf->off = 0;
+
+ return buf;
+}
+
+void xt_buf_free(struct xt_buf *buf)
+{
+ free(buf);
+}
+
+void xt_buf_add(struct xt_buf *buf, const char *fmt, ...)
+{
+ va_list ap;
+ int len;
+
+ va_start(ap, fmt);
+ len = vsnprintf(buf->data + buf->off, buf->rem, fmt, ap);
+ if (len < 0 || len >= buf->rem)
+ xtables_error(RESOURCE_PROBLEM, "OOM");
+
+ va_end(ap);
+ buf->rem -= len;
+ buf->off += len;
+}
+
+const char *xt_buf_get(struct xt_buf *buf)
+{
+ return buf->data;
+}