From 147a891f8ca48f1f0c932ac304810d68780c90c2 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Sun, 18 Feb 2018 09:49:16 +0100
Subject: extenstions: ecn: add tcp ecn/cwr translation

nft can match tcp flags, so add ece/cwr translation.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 extensions/libxt_ecn.c      | 49 ++++++++++++++++++++++++++++-----------------
 extensions/libxt_ecn.txlate |  6 ++++++
 2 files changed, 37 insertions(+), 18 deletions(-)

(limited to 'extensions')

diff --git a/extensions/libxt_ecn.c b/extensions/libxt_ecn.c
index aeba01b3..ad3c7a03 100644
--- a/extensions/libxt_ecn.c
+++ b/extensions/libxt_ecn.c
@@ -124,26 +124,39 @@ static int ecn_xlate(struct xt_xlate *xl,
 	const struct xt_ecn_info *einfo =
 		(const struct xt_ecn_info *)params->match->data;
 
-	if (!(einfo->operation & XT_ECN_OP_MATCH_IP))
-		return 0;
+	if (einfo->operation & XT_ECN_OP_MATCH_ECE) {
+		xt_xlate_add(xl, "tcp flags ");
+		if (einfo->invert)
+			xt_xlate_add(xl,"!= ");
+		xt_xlate_add(xl, "ecn");
+	}
 
-	xt_xlate_add(xl, "ip ecn ");
-	if (einfo->invert)
-		xt_xlate_add(xl,"!= ");
+	if (einfo->operation & XT_ECN_OP_MATCH_CWR) {
+		xt_xlate_add(xl, "tcp flags ");
+		if (einfo->invert)
+			xt_xlate_add(xl,"!= ");
+		xt_xlate_add(xl, "cwr");
+	}
 
-	switch (einfo->ip_ect) {
-	case 0:
-		xt_xlate_add(xl, "not-ect");
-		break;
-	case 1:
-		xt_xlate_add(xl, "ect1");
-		break;
-	case 2:
-		xt_xlate_add(xl, "ect0");
-		break;
-	case 3:
-		xt_xlate_add(xl, "ce");
-		break;
+	if (einfo->operation & XT_ECN_OP_MATCH_IP) {
+		xt_xlate_add(xl, "ip ecn ");
+		if (einfo->invert)
+			xt_xlate_add(xl,"!= ");
+
+		switch (einfo->ip_ect) {
+		case 0:
+			xt_xlate_add(xl, "not-ect");
+			break;
+		case 1:
+			xt_xlate_add(xl, "ect1");
+			break;
+		case 2:
+			xt_xlate_add(xl, "ect0");
+			break;
+		case 3:
+			xt_xlate_add(xl, "ce");
+			break;
+		}
 	}
 	return 1;
 }
diff --git a/extensions/libxt_ecn.txlate b/extensions/libxt_ecn.txlate
index 9e3bd310..f012f128 100644
--- a/extensions/libxt_ecn.txlate
+++ b/extensions/libxt_ecn.txlate
@@ -21,3 +21,9 @@ nft add rule ip filter INPUT ip ecn != ect0 counter
 
 iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 3
 nft add rule ip filter INPUT ip ecn != ce counter
+
+iptables-translate -A INPUT -m ecn ! --ecn-tcp-ece
+nft add rule ip filter INPUT tcp flags != ecn counter
+
+iptables-translate -A INPUT -m ecn --ecn-tcp-cwr
+nft add rule ip filter INPUT tcp flags cwr counter
-- 
cgit v1.2.3