diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-07-12 22:04:17 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-07-13 11:54:21 +0200 |
| commit | b65a70131d0d38844be12235270eebaa9d2f5a4d (patch) | |
| tree | cf3d687dba6d9a581e98e00f95ee4a692d019a0c /src/netlink_delinearize.c | |
| parent | b553eefe5ef1ac538fdf051df51481d19c9fbf4e (diff) | |
src: add xt compat support
At compilation time, you have to pass this option.
# ./configure --with-xtables
And libxtables needs to be installed in your system.
This patch allows to list a ruleset containing xt extensions loaded
through iptables-compat-restore tool.
Example:
$ iptables-save > ruleset
$ cat ruleset
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m multiport --dports 80,81 -j REJECT
COMMIT
$ sudo iptables-compat-restore ruleset
$ sudo nft list rulseset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
ip protocol tcp tcp dport { 80,81} counter packets 0 bytes 0 reject
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
A translation of the extension is shown if this is available. In other
case, match or target definition is preceded by a hash. For example,
classify target has not translation:
$ sudo nft list chain mangle POSTROUTING
table ip mangle {
chain POSTROUTING {
type filter hook postrouting priority -150; policy accept;
ip protocol tcp tcp dport 80 counter packets 0 bytes 0 # CLASSIFY set 20:10
^^^
}
}
If the whole ruleset is translatable, the users can (re)load it using
"nft -f" and get nft native support for all their rules.
This patch is joint work by the authors listed below.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink_delinearize.c')
| -rw-r--r-- | src/netlink_delinearize.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index fffbe266..257473a4 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -26,6 +26,7 @@ #include <erec.h> #include <sys/socket.h> #include <libnftnl/udata.h> +#include <xt.h> static int netlink_parse_expr(const struct nftnl_expr *nle, struct netlink_parse_ctx *ctx); @@ -986,6 +987,8 @@ static const struct { { .name = "queue", .parse = netlink_parse_queue }, { .name = "dynset", .parse = netlink_parse_dynset }, { .name = "fwd", .parse = netlink_parse_fwd }, + { .name = "target", .parse = netlink_parse_target }, + { .name = "match", .parse = netlink_parse_match }, }; static int netlink_parse_expr(const struct nftnl_expr *nle, @@ -1798,6 +1801,9 @@ static void rule_parse_postprocess(struct netlink_parse_ctx *ctx, struct rule *r if (stmt->fwd.to != NULL) expr_postprocess(&rctx, &stmt->fwd.to); break; + case STMT_XT: + stmt_xt_postprocess(&rctx, stmt, rule); + break; default: break; } |