From f7c26137b0d57a4c59e13ee531ccdc82cdc34e03 Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Fri, 25 Dec 2015 11:58:44 +0530 Subject: extensions: libipt_realm: Add translation to nft Add translation for routing realm to nftables. Examples: $ sudo iptables-translate -A PREROUTING -m realm --realm 4 nft add rule ip filter PREROUTING rtclassid 0x4 counter $ sudo iptables-translate -A PREROUTING -m realm --realm 5/5 nft add rule ip filter PREROUTING rtclassid and 0x5 == 0x5 counter $ sudo iptables-translate -A PREROUTING -m realm ! --realm 50 nft add rule ip filter PREROUTING rtclassid != 0x32 counter Signed-off-by: Shivani Bhardwaj Signed-off-by: Pablo Neira Ayuso --- extensions/libipt_realm.c | 42 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) (limited to 'extensions') diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c index a8d9dda0..d0160408 100644 --- a/extensions/libipt_realm.c +++ b/extensions/libipt_realm.c @@ -34,6 +34,7 @@ static struct xtables_lmap *realms; static void realm_init(struct xt_entry_match *m) { const char file[] = "/etc/iproute2/rt_realms"; + realms = xtables_lmap_init(file); if (realms == NULL && errno != ENOENT) fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno)); @@ -70,7 +71,7 @@ static void realm_parse(struct xt_option_call *cb) static void print_realm(unsigned long id, unsigned long mask, int numeric) { - const char* name = NULL; + const char *name = NULL; if (mask != 0xffffffff) printf(" 0x%lx/0x%lx", id, mask); @@ -85,7 +86,7 @@ print_realm(unsigned long id, unsigned long mask, int numeric) } static void realm_print(const void *ip, const struct xt_entry_match *match, - int numeric) + int numeric) { const struct xt_realm_info *ri = (const void *)match->data; @@ -107,6 +108,42 @@ static void realm_save(const void *ip, const struct xt_entry_match *match) print_realm(ri->id, ri->mask, 0); } +static void +print_realm_xlate(unsigned long id, unsigned long mask, + int numeric, struct xt_buf *buf, uint32_t op) +{ + const char *name = NULL; + + if (mask != 0xffffffff) + xt_buf_add(buf, " and 0x%lx %s 0x%lx ", id, + op == XT_OP_EQ ? "==" : "!=", mask); + else { + if (numeric == 0) + name = xtables_lmap_id2name(realms, id); + if (name) + xt_buf_add(buf, "%s%s ", + op == XT_OP_EQ ? "" : "!= ", name); + else + xt_buf_add(buf, " %s0x%lx ", + op == XT_OP_EQ ? "" : "!= ", id); + } +} + +static int realm_xlate(const struct xt_entry_match *match, + struct xt_buf *buf, int numeric) +{ + const struct xt_realm_info *ri = (const void *)match->data; + enum xt_op op = XT_OP_EQ; + + if (ri->invert) + op = XT_OP_NEQ; + + xt_buf_add(buf, "rtclassid"); + print_realm_xlate(ri->id, ri->mask, 0, buf, op); + + return 1; +} + static struct xtables_match realm_mt_reg = { .name = "realm", .version = XTABLES_VERSION, @@ -119,6 +156,7 @@ static struct xtables_match realm_mt_reg = { .save = realm_save, .x6_parse = realm_parse, .x6_options = realm_opts, + .xlate = realm_xlate, }; void _init(void) -- cgit v1.2.3