extensions: libxt_tcp: add translation to nft

Translation for the TCP option matching is not yet implemented as we
don't have a way to match this yet.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
index bbdec454355bb3e5613d71c7d1bf38f312391912..2a454ea2dd835bf231305761b80c727c7586090a 100644 (file)
--- a/extensions/libxt_tcp.c
+++ b/extensions/libxt_tcp.c
@@ -362,6 +362,86 @@ static void tcp_save(const void *ip, const struct xt_entry_match *match)
        }
 }
 
+static const struct tcp_flag_names tcp_flag_names_xlate[] = {
+       { "fin", 0x01 },
+       { "syn", 0x02 },
+       { "rst", 0x04 },
+       { "psh", 0x08 },
+       { "ack", 0x10 },
+       { "urg", 0x20 },
+};
+
+static void print_tcp_xlate(struct xt_buf *buf, uint8_t flags)
+{
+       int have_flag = 0;
+
+       while (flags) {
+               unsigned int i;
+
+               for (i = 0; (flags & tcp_flag_names_xlate[i].flag) == 0; i++);
+
+               if (have_flag)
+                       xt_buf_add(buf, "|");
+
+               xt_buf_add(buf, "%s", tcp_flag_names_xlate[i].name);
+               have_flag = 1;
+
+               flags &= ~tcp_flag_names_xlate[i].flag;
+       }
+
+       if (!have_flag)
+               xt_buf_add(buf, "none");
+}
+
+static int tcp_xlate(const struct xt_entry_match *match, struct xt_buf *buf,
+                    int numeric)
+{
+       const struct xt_tcp *tcpinfo = (const struct xt_tcp *)match->data;
+
+       if (tcpinfo->spts[0] != 0 || tcpinfo->spts[1] != 0xffff) {
+               if (tcpinfo->spts[0] != tcpinfo->spts[1]) {
+                       xt_buf_add(buf, "tcp sport %s%u-%u ",
+                                  tcpinfo->invflags & XT_TCP_INV_SRCPT ?
+                                       "!= " : "",
+                                  tcpinfo->spts[0], tcpinfo->spts[1]);
+               } else {
+                       xt_buf_add(buf, "tcp sport %s%u ",
+                                  tcpinfo->invflags & XT_TCP_INV_SRCPT ?
+                                       "!= " : "",
+                                  tcpinfo->spts[0]);
+               }
+       }
+
+       if (tcpinfo->dpts[0] != 0 || tcpinfo->dpts[1] != 0xffff) {
+               if (tcpinfo->dpts[0] != tcpinfo->dpts[1]) {
+                       xt_buf_add(buf, "tcp dport %s%u-%u ",
+                                  tcpinfo->invflags & XT_TCP_INV_DSTPT ?
+                                       "!= " : "",
+                                  tcpinfo->dpts[0], tcpinfo->dpts[1]);
+               } else {
+                       xt_buf_add(buf, "tcp dport %s%u ",
+                                  tcpinfo->invflags & XT_TCP_INV_DSTPT ?
+                                       "!= " : "",
+                                  tcpinfo->dpts[0]);
+               }
+       }
+
+       /* XXX not yet implemented */
+       if (tcpinfo->option || (tcpinfo->invflags & XT_TCP_INV_OPTION))
+               return 0;
+
+       if (tcpinfo->flg_mask || (tcpinfo->invflags & XT_TCP_INV_FLAGS)) {
+               xt_buf_add(buf, "tcp flags & ");
+               print_tcp_xlate(buf, tcpinfo->flg_mask);
+               xt_buf_add(buf, " %s ",
+                          tcpinfo->invflags & XT_TCP_INV_FLAGS ? "!=": "==");
+               print_tcp_xlate(buf, tcpinfo->flg_cmp);
+               xt_buf_add(buf, " ");
+       }
+
+       return 1;
+}
+
 static struct xtables_match tcp_match = {
        .family         = NFPROTO_UNSPEC,
        .name           = "tcp",
@@ -374,6 +454,7 @@ static struct xtables_match tcp_match = {
        .print          = tcp_print,
        .save           = tcp_save,
        .extra_opts     = tcp_opts,
+       .xlate          = tcp_xlate,
 };
 
 void