diff mbox

extensions: libxt_tos: Add translation to nft

Message ID 20160214142500.GA3397@gmail.com
State Not Applicable
Delegated to: Pablo Neira
Headers show

Commit Message

Shivani Bhardwaj Feb. 14, 2016, 2:25 p.m. UTC 
Add translation for match tos to nftables.

Examples:

$ sudo iptables-translate -A INPUT -m tos --tos 0x02  -j ACCEPT
nft add rule ip filter INPUT ip tos 0x02 counter accept

$ sudo iptables-translate -A INPUT -m tos --tos 0x02/0x04  -j ACCEPT
nft add rule ip filter INPUT ip tos and 0x02 == 0x04 counter accept

$ sudo iptables-translate -A INPUT -m tos ! --tos 0x02/0x04  -j ACCEPT
nft add rule ip filter INPUT ip tos and 0x02 != 0x04 counter accept

Details:
This patch was sent by Ana, Shivani modified it as per the current
nftables structure, applied it to the latest branch and tested it.

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Ana Rey <anarey@gmail.com>
---
 extensions/libxt_tos.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

Comments

Pablo Neira Ayuso Feb. 16, 2016, 11:26 a.m. UTC | #1 
On Sun, Feb 14, 2016 at 07:55:00PM +0530, Shivani Bhardwaj wrote:
> Add translation for match tos to nftables.
> 
> Examples:
> 
> $ sudo iptables-translate -A INPUT -m tos --tos 0x02  -j ACCEPT
> nft add rule ip filter INPUT ip tos 0x02 counter accept
> 
> $ sudo iptables-translate -A INPUT -m tos --tos 0x02/0x04  -j ACCEPT
> nft add rule ip filter INPUT ip tos and 0x02 == 0x04 counter accept
> 
> $ sudo iptables-translate -A INPUT -m tos ! --tos 0x02/0x04  -j ACCEPT
> nft add rule ip filter INPUT ip tos and 0x02 != 0x04 counter accept
> 
> Details:
> This patch was sent by Ana, Shivani modified it as per the current
> nftables structure, applied it to the latest branch and tested it.

we're going to get rid of tos in nft soon since dscp supersedes it and
it is not compatible with is, so we won't be supporting this.

So please document this on the wiki. Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/extensions/libxt_tos.c b/extensions/libxt_tos.c
index 81c096f..577e9cb 100644
--- a/extensions/libxt_tos.c
+++ b/extensions/libxt_tos.c
@@ -121,6 +121,23 @@  static void tos_mt_save(const void *ip, const struct xt_entry_match *match)
 	printf(" --tos 0x%02x/0x%02x", info->tos_value, info->tos_mask);
 }
 
+static int tos_mt_xlate(const struct xt_entry_match *match,
+			struct xt_xlate *xl, int numeric)
+{
+	const struct xt_tos_match_info *info = (const void *)match->data;
+
+	xt_xlate_add(xl, "ip tos ");
+
+	if (info->tos_mask == 0xff)
+		xt_xlate_add(xl, "%s0x%02x ", info->invert ? "!= " : "",
+			     info->tos_value);
+	else
+		xt_xlate_add(xl, "and 0x%02x %s 0x%02x ", info->tos_value,
+			     info->invert ? "!=" : "==", info->tos_mask);
+
+	return 1;
+}
+
 static struct xtables_match tos_mt_reg[] = {
 	{
 		.version       = XTABLES_VERSION,
@@ -147,6 +164,7 @@  static struct xtables_match tos_mt_reg[] = {
 		.save          = tos_mt_save,
 		.x6_parse      = tos_mt_parse,
 		.x6_options    = tos_mt_opts,
+		.xlate	       = tos_mt_xlate,
 	},
 };