extensions: libip6t_REJECT: Add translation to nft

Add translation for target REJECT to nftables.

Examples:

$ sudo ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with icmp6-reject-route
nft add rule ip6 filter FORWARD tcp dport 22 counter reject with icmpv6 type reject-route

$ sudo ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset
nft add rule ip6 filter FORWARD tcp dport 22 counter reject with tcp reset

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libip6t_REJECT.c b/extensions/libip6t_REJECT.c
index d62f4315469b6989ee553fa37d06d999c42fe394..3b8431c0c3c9045024092e1d22957a5a3c858f70 100644 (file)
--- a/extensions/libip6t_REJECT.c
+++ b/extensions/libip6t_REJECT.c
@@ -17,6 +17,11 @@ struct reject_names {
        const char *desc;
 };
 
+struct reject_names_xlate {
+       const char *name;
+       enum ip6t_reject_with with;
+};
+
 enum {
        O_REJECT_WITH = 0,
 };
@@ -124,6 +129,35 @@ static void REJECT_save(const void *ip, const struct xt_entry_target *target)
        printf(" --reject-with %s", reject_table[i].name);
 }
 
+static const struct reject_names_xlate reject_table_xlate[] = {
+       {"no-route",            IP6T_ICMP6_NO_ROUTE},
+       {"admin-prohibited",    IP6T_ICMP6_ADM_PROHIBITED},
+       {"addr-unreachable",    IP6T_ICMP6_ADDR_UNREACH},
+       {"port-unreachable",    IP6T_ICMP6_PORT_UNREACH},
+       {"tcp reset",           IP6T_TCP_RESET},
+       {"policy-fail",         IP6T_ICMP6_POLICY_FAIL},
+       {"reject-route",        IP6T_ICMP6_REJECT_ROUTE}
+};
+
+static int REJECT_xlate(const struct xt_entry_target *target,
+                       struct xt_buf *buf, int numeric)
+{
+       const struct ip6t_reject_info *reject =
+                               (const struct ip6t_reject_info *)target->data;
+       unsigned int i;
+
+       for (i = 0; i < ARRAY_SIZE(reject_table_xlate); ++i)
+               if (reject_table_xlate[i].with == reject->with)
+                       break;
+       if (reject->with == IP6T_TCP_RESET)
+               xt_buf_add(buf, "reject with %s", reject_table_xlate[i].name);
+       else
+               xt_buf_add(buf, "reject with icmpv6 type %s",
+                          reject_table_xlate[i].name);
+
+       return 1;
+}
+
 static struct xtables_target reject_tg6_reg = {
        .name = "REJECT",
        .version        = XTABLES_VERSION,
@@ -136,6 +170,7 @@ static struct xtables_target reject_tg6_reg = {
        .save           = REJECT_save,
        .x6_parse       = REJECT_parse,
        .x6_options     = REJECT_opts,
+       .xlate          = REJECT_xlate,
 };
 
 void _init(void)