extensions: tcpmss: add iptables-translate support

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/extensions/libxt_tcpmss.c b/extensions/libxt_tcpmss.c
index bcd357aa3d8e293b0f183c21925dadacf20c6066..61b853d19aca9b4b916e3b97ef4e8a2811c77f04 100644 (file)
--- a/extensions/libxt_tcpmss.c
+++ b/extensions/libxt_tcpmss.c
@@ -60,6 +60,21 @@ static void tcpmss_save(const void *ip, const struct xt_entry_match *match)
                printf("%u:%u", info->mss_min, info->mss_max);
 }
 
+static int tcpmss_xlate(struct xt_xlate *xl,
+                       const struct xt_xlate_mt_params *params)
+{
+       const struct xt_tcpmss_match_info *info = (void *)params->match->data;
+
+       xt_xlate_add(xl, "tcp option maxseg size %s", info->invert ? "!= " : "");
+
+       if (info->mss_min == info->mss_max)
+               xt_xlate_add(xl, "%u", info->mss_min);
+       else
+               xt_xlate_add(xl, "%u-%u", info->mss_min, info->mss_max);
+
+       return 1;
+}
+
 static struct xtables_match tcpmss_match = {
        .family         = NFPROTO_UNSPEC,
        .name           = "tcpmss",
@@ -71,6 +86,7 @@ static struct xtables_match tcpmss_match = {
        .save           = tcpmss_save,
        .x6_parse       = tcpmss_parse,
        .x6_options     = tcpmss_opts,
+       .xlate          = tcpmss_xlate,
 };
 
 void _init(void)

diff --git a/extensions/libxt_tcpmss.txlate b/extensions/libxt_tcpmss.txlate
new file mode 100644 (file)
index 0000000..d3f1b27
--- /dev/null
+++ b/extensions/libxt_tcpmss.txlate
@@ -0,0 +1,11 @@
+iptables-translate -A INPUT -m tcpmss --mss 42
+nft add rule ip filter INPUT tcp option maxseg size 42 counter
+
+iptables-translate -A INPUT -m tcpmss ! --mss 42
+nft add rule ip filter INPUT tcp option maxseg size != 42 counter
+
+iptables-translate -A INPUT -m tcpmss --mss 42:1024
+nft add rule ip filter INPUT tcp option maxseg size 42-1024 counter
+
+iptables-translate -A INPUT -m tcpmss ! --mss 1461:65535
+nft add rule ip filter INPUT tcp option maxseg size != 1461-65535 counter