extensions: libxt_ipcomp: add range support in translation

When translate to nft rules, ipcompspi range is not supported, so:
  # iptables-translate -A OUTPUT -m ipcomp --ipcompspi 1:2
  nft add rule ip filter OUTPUT comp cpi 1 counter

  # iptables-translate -A OUTPUT -m ipcomp ! --ipcompspi 3:30
  nft add rule ip filter OUTPUT comp cpi != 3 counter

Apply this patch:
  # iptables-translate -A OUTPUT -m ipcomp --ipcompspi 1:2
  nft add rule ip filter OUTPUT comp cpi 1-2 counter

  # iptables-translate -A OUTPUT -m ipcomp ! --ipcompspi 3:30
  nft add rule ip filter OUTPUT comp cpi != 3-30 counter

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libxt_ipcomp.c b/extensions/libxt_ipcomp.c
index 9f7c0ef55ab0345990bfb323987b2f592b2390aa..b5c43128466fb60bb4d3be52a69b09b1dde02b77 100644 (file)
--- a/extensions/libxt_ipcomp.c
+++ b/extensions/libxt_ipcomp.c
@@ -101,9 +101,13 @@ static int comp_xlate(struct xt_xlate *xl,
        const struct xt_ipcomp *compinfo =
                (struct xt_ipcomp *)params->match->data;
 
-       xt_xlate_add(xl, "comp cpi %s%u",
-                    (compinfo->invflags & XT_IPCOMP_INV_SPI) ? "!= " : "",
-                    compinfo->spis[0]);
+       xt_xlate_add(xl, "comp cpi %s",
+                    compinfo->invflags & XT_IPCOMP_INV_SPI ? "!= " : "");
+       if (compinfo->spis[0] != compinfo->spis[1])
+               xt_xlate_add(xl, "%u-%u", compinfo->spis[0],
+                            compinfo->spis[1]);
+       else
+               xt_xlate_add(xl, "%u", compinfo->spis[0]);
 
        return 1;
 }