Message ID | 20160601220804.GA3515@sonyv |
---|---|
State | Accepted |
Delegated to: | Pablo Neira |
Headers | show |
On Thu, Jun 02, 2016 at 12:08:08AM +0200, Laura Garcia Liebana wrote: > Add translation for Hop-By-Hop header to nftables. Hbh options are not > supported yet in nft. It would be good to document this in the wiki, as Shivani did already. It would be also good if you can document what is missing to be capable of matching these hbh options there. > $ sudo ip6tables-translate -t filter -A INPUT -m hbh --hbh-len 22 > nft add rule ip6 filter INPUT hbh hdrlength 22 counter > > $ sudo ip6tables-translate -t filter -A INPUT -m hbh ! --hbh-len 22 > nft add rule ip6 filter INPUT hbh hdrlength != 22 counter Applied, thanks Laura. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Jun 02, 2016 at 01:08:47PM +0200, Pablo Neira Ayuso wrote: > On Thu, Jun 02, 2016 at 12:08:08AM +0200, Laura Garcia Liebana wrote: > > Add translation for Hop-By-Hop header to nftables. Hbh options are not > > supported yet in nft. > > It would be good to document this in the wiki, as Shivani did already. > It would be also good if you can document what is missing to be > capable of matching these hbh options there. > It seems that is already documented in the official wiki. ip6 hbh [Waiting for support of options] (partial translations available) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/extensions/libip6t_hbh.c b/extensions/libip6t_hbh.c index c0389ed..416681d 100644 --- a/extensions/libip6t_hbh.c +++ b/extensions/libip6t_hbh.c @@ -164,6 +164,22 @@ static void hbh_save(const void *ip, const struct xt_entry_match *match) print_options(optinfo->optsnr, (uint16_t *)optinfo->opts); } +static int hbh_xlate(const void *ip, const struct xt_entry_match *match, + struct xt_xlate *xl, int numeric) +{ + const struct ip6t_opts *optinfo = (struct ip6t_opts *)match->data; + + if (!(optinfo->flags & IP6T_OPTS_LEN) || + (optinfo->flags & IP6T_OPTS_OPTS)) + return 0; + + xt_xlate_add(xl, "hbh hdrlength %s%u ", + (optinfo->invflags & IP6T_OPTS_INV_LEN) ? "!= " : "", + optinfo->hdrlen); + + return 1; +} + static struct xtables_match hbh_mt6_reg = { .name = "hbh", .version = XTABLES_VERSION, @@ -175,6 +191,7 @@ static struct xtables_match hbh_mt6_reg = { .save = hbh_save, .x6_parse = hbh_parse, .x6_options = hbh_opts, + .xlate = hbh_xlate, }; void
Add translation for Hop-By-Hop header to nftables. Hbh options are not supported yet in nft. $ sudo ip6tables-translate -t filter -A INPUT -m hbh --hbh-len 22 nft add rule ip6 filter INPUT hbh hdrlength 22 counter $ sudo ip6tables-translate -t filter -A INPUT -m hbh ! --hbh-len 22 nft add rule ip6 filter INPUT hbh hdrlength != 22 counter Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> --- extensions/libip6t_hbh.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+)