| Message ID | 1490715972-30517-1-git-send-email-gs051095@gmail.com |
|---|---|
| State | RFC |
| Delegated to: | Pablo Neira |
| Headers | show |
Gargi Sharma <gs051095@gmail.com> wrote: > Add translation for TOS to nftables. > > Examples: > > $ iptables-translate -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10 > nft add rule ip mangle PREROUTING tcp dport 22 counter --set-tos 0x10/0xff > > $ iptables-translate -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos 0x02/0x10 > nft add rule ip mangle PREROUTING tcp sport 20 counter --set-tos 0x02/0x10 You did not test this :-/ nft add rule ip mangle PREROUTING tcp sport 20 counter --set-tos 0x02/0x10 nft: unrecognized option '--set-tos' besides, there is no TOS support in nftables. Please look at xt_DSCP.c and the xlate function there. You could rewrite -j TOS iptables rules to their corresponding dscp eqivalent in some cases at least. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Mar 28, 2017 at 9:22 PM, Florian Westphal <fw@strlen.de> wrote: > Gargi Sharma <gs051095@gmail.com> wrote: >> Add translation for TOS to nftables. >> >> Examples: >> >> $ iptables-translate -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10 >> nft add rule ip mangle PREROUTING tcp dport 22 counter --set-tos 0x10/0xff >> >> $ iptables-translate -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos 0x02/0x10 >> nft add rule ip mangle PREROUTING tcp sport 20 counter --set-tos 0x02/0x10 > > You did not test this :-/ > Sorry! I realised this after sending this patch. > nft add rule ip mangle PREROUTING tcp sport 20 counter --set-tos 0x02/0x10 > nft: unrecognized option '--set-tos' > > besides, there is no TOS support in nftables. > Please look at xt_DSCP.c and the xlate function there. > From what I gather, the first 6 bits are used for DSCP and the last 2 for ecn. Should I write both dscp and ecn equivalent for the TOS specified? Thanks, Gargi > You could rewrite -j TOS iptables rules to their corresponding dscp > eqivalent in some cases at least. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/extensions/libxt_TOS.c b/extensions/libxt_TOS.c index cef5876..408918b 100644 --- a/extensions/libxt_TOS.c +++ b/extensions/libxt_TOS.c @@ -183,6 +183,26 @@ static void tos_tg_save(const void *ip, const struct xt_entry_target *target) printf(" --set-tos 0x%02x/0x%02x", info->tos_value, info->tos_mask); } +static int tos_xlate(struct xt_xlate *xl, + const struct xt_xlate_tg_params *params) +{ + const struct ipt_tos_target_info *info = + (struct ipt_tos_target_info *) params->target->data; + xt_xlate_add(xl, " --set-tos 0x%02x", info->tos); + + return 1; +} + +static int tos_xlate6(struct xt_xlate *xl, + const struct xt_xlate_tg_params *params) +{ + const struct xt_tos_target_info *info = + (struct xt_tos_target_info *) params->target->data; + xt_xlate_add(xl, " --set-tos 0x%02x/0x%02x", info->tos_value, info->tos_mask); + + return 1; +} + static struct xtables_target tos_tg_reg[] = { { .version = XTABLES_VERSION, @@ -197,6 +217,7 @@ static struct xtables_target tos_tg_reg[] = { .x6_parse = tos_tg_parse_v0, .x6_fcheck = tos_tg_check, .x6_options = tos_tg_opts_v0, + .xlate = tos_xlate, }, { .version = XTABLES_VERSION, @@ -211,6 +232,7 @@ static struct xtables_target tos_tg_reg[] = { .x6_parse = tos_tg_parse, .x6_fcheck = tos_tg_check, .x6_options = tos_tg_opts, + .xlate = tos_xlate6, }, };
Add translation for TOS to nftables. Examples: $ iptables-translate -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10 nft add rule ip mangle PREROUTING tcp dport 22 counter --set-tos 0x10/0xff $ iptables-translate -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos 0x02/0x10 nft add rule ip mangle PREROUTING tcp sport 20 counter --set-tos 0x02/0x10 Signed-off-by: Gargi Sharma <gs051095@gmail.com> --- extensions/libxt_TOS.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+)