summaryrefslogtreecommitdiffstats
path: root/extensions/libxt_ipcomp.c
Commit message (Collapse)AuthorAgeFilesLines
* extensions: libxt_ipcomp: add range support in translationLiping Zhang2016-10-141-3/+7
| | | | | | | | | | | | | | | | | | | When translate to nft rules, ipcompspi range is not supported, so: # iptables-translate -A OUTPUT -m ipcomp --ipcompspi 1:2 nft add rule ip filter OUTPUT comp cpi 1 counter # iptables-translate -A OUTPUT -m ipcomp ! --ipcompspi 3:30 nft add rule ip filter OUTPUT comp cpi != 3 counter Apply this patch: # iptables-translate -A OUTPUT -m ipcomp --ipcompspi 1:2 nft add rule ip filter OUTPUT comp cpi 1-2 counter # iptables-translate -A OUTPUT -m ipcomp ! --ipcompspi 3:30 nft add rule ip filter OUTPUT comp cpi != 3-30 counter Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: introduce struct xt_xlate_{mt,tg}_paramsPablo Neira Ayuso2016-07-251-3/+4
| | | | | | | | This structure is an extensible containers of parameters, so we don't need to propagate interface updates in every extension file in case we need to add new parameters in the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-translate: fix multiple spaces issuePablo M. Bermudo Garay2016-07-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a multiple spaces issue. The problem arises when a rule set loaded through iptables-compat-restore is listed in nft. Before this commit, two spaces were printed after every match translation: $ sudo iptables-save *filter :INPUT ACCEPT [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m multiport --dports 80:85 -m ttl --ttl-gt 5 -j ACCEPT COMMIT $ sudo iptables-compat-restore iptables-save $ sudo nft list ruleset table ip filter { chain INPUT { type filter hook input priority 0; policy accept; ct state related,established counter packets 0 bytes 0 accept ^^ ip protocol tcp tcp dport 80-85 ip ttl gt 5 counter packets 0 bytes 0 accept ^^ ^^ } } Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_ipcomp: Add translation to nftLaura Garcia Liebana2016-06-011-0/+13
| | | | | | | | | | | | | | | | | | Add translation of ipcomp to nftables. First value of the parameter 'ipcompspi' will be translated to 'cpi' parameter in nftables. Parameter 'compres' is not supported in nftables. Examples: $ sudo iptables-translate -t filter -A INPUT -m ipcomp --ipcompspi 0x12 -j ACCEPT nft add rule ip filter INPUT comp cpi 18 counter accept $ sudo iptables-translate -t filter -A INPUT -m ipcomp ! --ipcompspi 0x12 -j ACCEPT nft add rule ip filter INPUT comp cpi != 18 counter accept Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: Add IPv4/6 IPcomp match supportfan.du2013-12-241-0/+116
This patch enables user to set iptables ACTIONs for IPcomp flow specified by its SPI value. For example: iptables -A OUTPUT -p 108 -m ipcomp --ipcompspi 0x12 -j DROP ip6tables -A OUTPUT -p 108 -m ipcomp --ipcompspi 0x12 -j DROP IPcomp packet with spi as 0x12 will be dropped. Signed-off-by: Fan Du <fan.du@windriver.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>