extensions: libxt_CONNMARK: Add translation to nft

Add translation for the CONNMARK target to nftables.

The following options have no available translation:

  --save-mark [--nfmask nfmask] [--ctmask ctmask]
  --restore-mark [--nfmask nfmask] [--ctmask ctmask]

Examples:

  # iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-mark 0x16
  nft add rule ip mangle PREROUTING counter ct mark set 0x16

  # iptables-translate -t mangle -A PREROUTING -j CONNMARK --set-xmark 0x16/0x12
  nft add rule ip mangle PREROUTING counter ct mark set ct mark xor 0x16 and
  0xffffffed

  # iptables-translate -t mangle -A PREROUTING -j CONNMARK --and-mark 0x16
  nft add rule ip mangle PREROUTING counter ct mark set ct mark and 0x16

  # iptables-translate -t mangle -A PREROUTING -j CONNMARK --or-mark 0x16
  nft add rule ip mangle PREROUTING counter ct mark set ct mark or 0x16

  # iptables-translate -t mangle -A PREROUTING -j CONNMARK --save-mark
  nft add rule ip mangle PREROUTING counter ct mark set mark

  # iptables-translate -t mangle -A PREROUTING -j CONNMARK --save-mark \
    --mask 0x12
  nft add rule ip mangle PREROUTING counter ct mark set mark and 0x12

  # iptables-translate -t mangle -A PREROUTING -j CONNMARK --restore-mark
  nft add rule ip mangle PREROUTING counter meta mark set ct mark

  # iptables-translate -t mangle -A PREROUTING -j CONNMARK --restore-mark \
    --mask 0x12
  nft add rule ip mangle PREROUTING counter meta mark set ct mark and 0x12

Signed-off-by: Roberto García <rodanber@gmail.com>
Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
index 42cf2079b6734a0a1fd3db3018748c3a0a124a44..358facf411c42a417b223cbae053ee7d725bca63 100644 (file)
--- a/extensions/libxt_CONNMARK.c
+++ b/extensions/libxt_CONNMARK.c
@@ -347,6 +347,50 @@ connmark_tg_save(const void *ip, const struct xt_entry_target *target)
        }
 }
 
+static int
+connmark_tg_xlate(const void *ip, const struct xt_entry_target *target,
+                 struct xt_xlate *xl, int numeric)
+{
+       const struct xt_connmark_tginfo1 *info = (const void *)target->data;
+
+       switch (info->mode) {
+       case XT_CONNMARK_SET:
+               xt_xlate_add(xl, "ct mark set ");
+               if (info->ctmark == 0)
+                       xt_xlate_add(xl, "ct mark and 0x%x", ~info->ctmask);
+               else if (info->ctmark == info->ctmask)
+                       xt_xlate_add(xl, "ct mark or 0x%x",
+                                    info->ctmark);
+               else if (info->ctmask == 0)
+                       xt_xlate_add(xl, "ct mark xor 0x%x",
+                                    info->ctmark);
+               else if (info->ctmask == 0xFFFFFFFFU)
+                       xt_xlate_add(xl, "0x%x ", info->ctmark);
+               else
+                       xt_xlate_add(xl, "ct mark xor 0x%x and 0x%x",
+                                    info->ctmark, ~info->ctmask);
+               break;
+       case XT_CONNMARK_SAVE:
+               xt_xlate_add(xl, "ct mark set mark");
+               if (!(info->nfmask == UINT32_MAX &&
+                   info->ctmask == UINT32_MAX)) {
+                       if (info->nfmask == info->ctmask)
+                               xt_xlate_add(xl, " and 0x%x", info->nfmask);
+               }
+               break;
+       case XT_CONNMARK_RESTORE:
+               xt_xlate_add(xl, "meta mark set ct mark");
+               if (!(info->nfmask == UINT32_MAX &&
+                   info->ctmask == UINT32_MAX)) {
+                       if (info->nfmask == info->ctmask)
+                               xt_xlate_add(xl, " and 0x%x", info->nfmask);
+               }
+               break;
+       }
+
+       return 1;
+}
+
 static struct xtables_target connmark_tg_reg[] = {
        {
                .family        = NFPROTO_UNSPEC,
@@ -377,6 +421,7 @@ static struct xtables_target connmark_tg_reg[] = {
                .x6_parse      = connmark_tg_parse,
                .x6_fcheck     = connmark_tg_check,
                .x6_options    = connmark_tg_opts,
+               .xlate         = connmark_tg_xlate,
        },
 };