extensions: libxt_devgroup: Add translation to nft

Add translation for device group to nftables.

Examples:

$ sudo iptables-translate -A FORWARD -m devgroup --src-group 0x2 -j ACCEPT
nft add rule ip filter FORWARD iifgroup 0x2 counter accept

$ sudo iptables-translate -A FORWARD -m devgroup --dst-group 0xc/0xc -j ACCEPT
nft add rule ip filter FORWARD oifgroup and 0xc == 0xc counter accept

$ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 46000 -m devgroup --src-group 23 -j ACCEPT
nft add rule ip mangle PREROUTING tcp dport 46000 iifgroup 0x17 counter accept

$ sudo iptables-translate -A FORWARD -m devgroup ! --dst-group 0xc/0xc -j ACCEPT
nft add rule ip filter FORWARD oifgroup and 0xc != 0xc counter accept

$ sudo iptables-translate -A FORWARD -m devgroup ! --src-group 0x2 -j ACCEPT
nft add rule ip filter FORWARD iifgroup != 0x2 counter accept

Signed-off-by : Shivani Bhardwaj <shivanib134@gmail.com>

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c
index 1a5262730e50d7e1d1d59724c71ecc16e5aba83e..645f2f31df22fda02226686aa564a2eead9de597 100644 (file)
--- a/extensions/libxt_devgroup.c
+++ b/extensions/libxt_devgroup.c
@@ -151,6 +151,58 @@ static void devgroup_check(struct xt_fcheck_call *cb)
                              "'--src-group' or '--dst-group'");
 }
 
+static void
+print_devgroup_xlate(unsigned int id, uint32_t op,  unsigned int mask,
+                    struct xt_buf *buf, int numeric)
+{
+       const char *name = NULL;
+
+       if (mask != 0xffffffff)
+               xt_buf_add(buf, "and 0x%x %s 0x%x ", id,
+                          op == XT_OP_EQ ? "==" : "!=", mask);
+       else {
+               if (numeric == 0)
+                       name = xtables_lmap_id2name(devgroups, id);
+               if (name)
+                       xt_buf_add(buf, "%s ", name);
+               else
+                       xt_buf_add(buf, "%s0x%x ",
+                                  op == XT_OP_EQ ? "" : "!= ", id);
+       }
+}
+
+static void devgroup_show_xlate(const struct xt_devgroup_info *info,
+                               struct xt_buf *buf, int numeric)
+{
+       enum xt_op op = XT_OP_EQ;
+
+       if (info->flags & XT_DEVGROUP_MATCH_SRC) {
+               if (info->flags & XT_DEVGROUP_INVERT_SRC)
+                       op = XT_OP_NEQ;
+               xt_buf_add(buf, "iifgroup ");
+               print_devgroup_xlate(info->src_group, op,
+                                    info->src_mask, buf, numeric);
+       }
+
+       if (info->flags & XT_DEVGROUP_MATCH_DST) {
+               if (info->flags & XT_DEVGROUP_INVERT_DST)
+                       op = XT_OP_NEQ;
+               xt_buf_add(buf, "oifgroup ");
+               print_devgroup_xlate(info->dst_group, op,
+                                    info->dst_mask, buf, numeric);
+       }
+}
+
+static int devgroup_xlate(const struct xt_entry_match *match,
+                         struct xt_buf *buf, int numeric)
+{
+       const struct xt_devgroup_info *info = (const void *)match->data;
+
+       devgroup_show_xlate(info, buf, 0);
+
+       return 1;
+}
+
 static struct xtables_match devgroup_mt_reg = {
        .name           = "devgroup",
        .version        = XTABLES_VERSION,
@@ -164,6 +216,7 @@ static struct xtables_match devgroup_mt_reg = {
        .x6_parse       = devgroup_parse,
        .x6_fcheck      = devgroup_check,
        .x6_options     = devgroup_opts,
+       .xlate          = devgroup_xlate,
 };
 
 void _init(void)