extensions: libipt_REJECT: Add translation to nft

Add translation for target REJECT to nftables.

Examples:

$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip filter FORWARD tcp dport 22 counter reject with icmp type port-unreachable

$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with icmp-net-unreachable
nft add rule ip filter FORWARD tcp dport 22 counter reject with icmp type net-unreachable

$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset
nft add rule ip filter FORWARD tcp dport 22 counter reject with tcp reset

Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c
index 362c65ed88e9617e1c5e6b759e984fe38510613d..dd4ac6295d1e0ea06ac6ed2d9c8b1e3a4fa0ead0 100644 (file)
--- a/extensions/libipt_REJECT.c
+++ b/extensions/libipt_REJECT.c
@@ -24,6 +24,11 @@ struct reject_names {
        const char *desc;
 };
 
+struct reject_names_xlate {
+       const char *name;
+       enum ipt_reject_with with;
+};
+
 enum {
        O_REJECT_WITH = 0,
 };
@@ -129,8 +134,8 @@ static void REJECT_print(const void *ip, const struct xt_entry_target *target,
 
 static void REJECT_save(const void *ip, const struct xt_entry_target *target)
 {
-       const struct ipt_reject_info *reject
-               = (const struct ipt_reject_info *)target->data;
+       const struct ipt_reject_info *reject =
+               (const struct ipt_reject_info *)target->data;
        unsigned int i;
 
        for (i = 0; i < ARRAY_SIZE(reject_table); ++i)
@@ -140,6 +145,43 @@ static void REJECT_save(const void *ip, const struct xt_entry_target *target)
        printf(" --reject-with %s", reject_table[i].name);
 }
 
+static const struct reject_names_xlate reject_table_xlate[] = {
+       {"net-unreachable",     IPT_ICMP_NET_UNREACHABLE},
+       {"host-unreachable",    IPT_ICMP_HOST_UNREACHABLE},
+       {"prot-unreachable",    IPT_ICMP_PROT_UNREACHABLE},
+       {"port-unreachable",    IPT_ICMP_PORT_UNREACHABLE},
+#if 0
+       {"echo-reply",          IPT_ICMP_ECHOREPLY},
+#endif
+       {"net-prohibited",      IPT_ICMP_NET_PROHIBITED},
+       {"host-prohibited",     IPT_ICMP_HOST_PROHIBITED},
+       {"tcp reset",           IPT_TCP_RESET},
+       {"admin-prohibited",    IPT_ICMP_ADMIN_PROHIBITED}
+};
+
+static int REJECT_xlate(const struct xt_entry_target *target,
+                       struct xt_buf *buf, int numeric)
+{
+       const struct ipt_reject_info *reject =
+               (const struct ipt_reject_info *)target->data;
+       unsigned int i;
+
+       for (i = 0; i < ARRAY_SIZE(reject_table_xlate); ++i) {
+               if (reject_table_xlate[i].with == reject->with)
+                       break;
+       }
+
+       if (reject->with == IPT_TCP_RESET)
+               xt_buf_add(buf, "reject with %s",
+                          reject_table_xlate[i].name);
+       else
+               xt_buf_add(buf, "reject with icmp type %s",
+                          reject_table_xlate[i].name);
+
+       return 1;
+}
+
+
 static struct xtables_target reject_tg_reg = {
        .name           = "REJECT",
        .version        = XTABLES_VERSION,
@@ -152,6 +194,7 @@ static struct xtables_target reject_tg_reg = {
        .save           = REJECT_save,
        .x6_parse       = REJECT_parse,
        .x6_options     = REJECT_opts,
+       .xlate          = REJECT_xlate,
 };
 
 void _init(void)