| Message ID | 1467192252-5714-1-git-send-email-rodanber@gmail.com |
|---|---|
| State | Changes Requested |
| Delegated to: | Pablo Neira |
| Headers | show |
On 29 June 2016 at 11:24, <rodanber@gmail.com> wrote: > From: Roberto García <rodanber@gmail.com> > > Add translation of the ecn match to nftables. > > Examples: > # iptables-translate -A INPUT -m ecn --ecn-ip-ect 0 > nft add rule ip filter INPUT ip ecn not-ect counter > > # iptables-translate -A INPUT -m ecn --ecn-ip-ect 1 > nft add rule ip filter INPUT ip ecn ect1 counter > > # iptables-translate -A INPUT -m ecn --ecn-ip-ect 2 > nft add rule ip filter INPUT ip ecn ect0 counter > > # iptables-translate -A INPUT -m ecn --ecn-ip-ect 3 > nft add rule ip filter INPUT ip ecn ce counter > > # iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 0 > nft add rule ip filter INPUT ip ecn != not-ect counter > > # iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 1 > nft add rule ip filter INPUT ip ecn != ect1 counter > > # iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 2 > nft add rule ip filter INPUT ip ecn != ect0 counter > > # iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 3 > nft add rule ip filter INPUT ip ecn != ce counter > > Signed-off-by: Roberto García <rodanber@gmail.com> > --- > extensions/libxt_ecn.c | 30 ++++++++++++++++++++++++++++++ > 1 file changed, 30 insertions(+) > > diff --git a/extensions/libxt_ecn.c b/extensions/libxt_ecn.c > index 286782a..4efdda3 100644 > --- a/extensions/libxt_ecn.c > +++ b/extensions/libxt_ecn.c > @@ -118,6 +118,35 @@ static void ecn_save(const void *ip, const struct xt_entry_match *match) > } > } > > +static int ecn_xlate(const void *ip, const struct xt_entry_match *match, > + struct xt_xlate *xl, int numeric) > +{ > + const struct xt_ecn_info *einfo = > + (const struct xt_ecn_info *)match->data; > + > + if (einfo->operation & XT_ECN_OP_MATCH_IP) { > + xt_xlate_add(xl, "ip ecn "); > + if (einfo->invert) > + xt_xlate_add(xl,"!= "); > + switch (einfo->ip_ect) { > + case 0: > + xt_xlate_add(xl, "not-ect "); > + break; > + case 1: > + xt_xlate_add(xl, "ect1 "); > + break; > + case 2: > + xt_xlate_add(xl, "ect0 "); > + break; > + case 3: > + xt_xlate_add(xl, "ce "); > + break; > + } > + return 1; > + } else > + return 0; > +} Hi Roberto, instead of wrapping all the translation composition inside the if(), just return 0 if the condition is not met. That's what I meant with the early return thing in my last email. regards
diff --git a/extensions/libxt_ecn.c b/extensions/libxt_ecn.c index 286782a..4efdda3 100644 --- a/extensions/libxt_ecn.c +++ b/extensions/libxt_ecn.c @@ -118,6 +118,35 @@ static void ecn_save(const void *ip, const struct xt_entry_match *match) } } +static int ecn_xlate(const void *ip, const struct xt_entry_match *match, + struct xt_xlate *xl, int numeric) +{ + const struct xt_ecn_info *einfo = + (const struct xt_ecn_info *)match->data; + + if (einfo->operation & XT_ECN_OP_MATCH_IP) { + xt_xlate_add(xl, "ip ecn "); + if (einfo->invert) + xt_xlate_add(xl,"!= "); + switch (einfo->ip_ect) { + case 0: + xt_xlate_add(xl, "not-ect "); + break; + case 1: + xt_xlate_add(xl, "ect1 "); + break; + case 2: + xt_xlate_add(xl, "ect0 "); + break; + case 3: + xt_xlate_add(xl, "ce "); + break; + } + return 1; + } else + return 0; +} + static struct xtables_match ecn_mt_reg = { .name = "ecn", .version = XTABLES_VERSION, @@ -130,6 +159,7 @@ static struct xtables_match ecn_mt_reg = { .x6_parse = ecn_parse, .x6_fcheck = ecn_check, .x6_options = ecn_opts, + .xlate = ecn_xlate, }; void _init(void)