From cd11b62b477dc4563892d167ca58abfc637cdb1f Mon Sep 17 00:00:00 2001
From: Laura Garcia Liebana <nevola@gmail.com>
Date: Mon, 6 Jun 2016 20:51:04 +0200
Subject: extensions: libxt_dscp: Add translation to nft

Add translation for dscp to nftables, for both ipv4 and ipv6.

Examples:

$ sudo iptables-translate -t filter -A INPUT -m dscp --dscp 0x32 -j ACCEPT
nft add rule ip filter INPUT ip dscp 0x32 counter accept

$ sudo ip6tables-translate -t filter -A INPUT -m dscp ! --dscp 0x32 -j ACCEPT
nft add rule ip6 filter INPUT ip6 dscp != 0x32 counter accept

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 extensions/libxt_dscp.c | 71 ++++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 58 insertions(+), 13 deletions(-)

(limited to 'extensions/libxt_dscp.c')

diff --git a/extensions/libxt_dscp.c b/extensions/libxt_dscp.c
index 02b22a4e..adc78277 100644
--- a/extensions/libxt_dscp.c
+++ b/extensions/libxt_dscp.c
@@ -91,21 +91,66 @@ static void dscp_save(const void *ip, const struct xt_entry_match *match)
 	printf("%s --dscp 0x%02x", dinfo->invert ? " !" : "", dinfo->dscp);
 }
 
-static struct xtables_match dscp_match = {
-	.family		= NFPROTO_UNSPEC,
-	.name 		= "dscp",
-	.version 	= XTABLES_VERSION,
-	.size 		= XT_ALIGN(sizeof(struct xt_dscp_info)),
-	.userspacesize	= XT_ALIGN(sizeof(struct xt_dscp_info)),
-	.help		= dscp_help,
-	.print		= dscp_print,
-	.save		= dscp_save,
-	.x6_parse	= dscp_parse,
-	.x6_fcheck	= dscp_check,
-	.x6_options	= dscp_opts,
+static int __dscp_xlate(const void *ip, const struct xt_entry_match *match,
+		      struct xt_xlate *xl, int numeric)
+{
+	const struct xt_dscp_info *dinfo =
+		(const struct xt_dscp_info *)match->data;
+
+	xt_xlate_add(xl, "dscp %s0x%02x ", dinfo->invert ? "!= " : "",
+		     dinfo->dscp);
+
+	return 1;
+}
+
+static int dscp_xlate(const void *ip, const struct xt_entry_match *match,
+		      struct xt_xlate *xl, int numeric)
+{
+	xt_xlate_add(xl, "ip ");
+
+	return __dscp_xlate(ip, match, xl, numeric);
+}
+
+static int dscp_xlate6(const void *ip, const struct xt_entry_match *match,
+		      struct xt_xlate *xl, int numeric)
+{
+	xt_xlate_add(xl, "ip6 ");
+
+	return __dscp_xlate(ip, match, xl, numeric);
+}
+
+static struct xtables_match dscp_mt_reg[] = {
+	{
+		.family		= NFPROTO_IPV4,
+		.name           = "dscp",
+		.version        = XTABLES_VERSION,
+		.size           = XT_ALIGN(sizeof(struct xt_dscp_info)),
+		.userspacesize	= XT_ALIGN(sizeof(struct xt_dscp_info)),
+		.help		= dscp_help,
+		.print		= dscp_print,
+		.save		= dscp_save,
+		.x6_parse	= dscp_parse,
+		.x6_fcheck	= dscp_check,
+		.x6_options	= dscp_opts,
+		.xlate		= dscp_xlate,
+	},
+	{
+		.family		= NFPROTO_IPV6,
+		.name           = "dscp",
+		.version        = XTABLES_VERSION,
+		.size           = XT_ALIGN(sizeof(struct xt_dscp_info)),
+		.userspacesize	= XT_ALIGN(sizeof(struct xt_dscp_info)),
+		.help		= dscp_help,
+		.print		= dscp_print,
+		.save		= dscp_save,
+		.x6_parse	= dscp_parse,
+		.x6_fcheck	= dscp_check,
+		.x6_options	= dscp_opts,
+		.xlate		= dscp_xlate6,
+	},
 };
 
 void _init(void)
 {
-	xtables_register_match(&dscp_match);
+	xtables_register_matches(dscp_mt_reg, ARRAY_SIZE(dscp_mt_reg));
 }
-- 
cgit v1.2.3


From f035be35c749d5c5cbb7ffdbcd1c548b91bd3033 Mon Sep 17 00:00:00 2001
From: "Pablo M. Bermudo Garay" <pablombg@gmail.com>
Date: Sat, 9 Jul 2016 12:27:51 +0200
Subject: xtables-translate: fix multiple spaces issue

This patch fixes a multiple spaces issue. The problem arises when a rule
set loaded through iptables-compat-restore is listed in nft.

Before this commit, two spaces were printed after every match
translation:

$ sudo iptables-save
*filter
:INPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80:85 -m ttl --ttl-gt 5 -j ACCEPT
COMMIT

$ sudo iptables-compat-restore iptables-save

$ sudo nft list ruleset
table ip filter {
    chain INPUT {
        type filter hook input priority 0; policy accept;
        ct state related,established  counter packets 0 bytes 0 accept
                                    ^^
        ip protocol tcp tcp dport 80-85  ip ttl gt 5  counter packets 0 bytes 0 accept
                                       ^^           ^^
    }
}

Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 extensions/libxt_dscp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'extensions/libxt_dscp.c')

diff --git a/extensions/libxt_dscp.c b/extensions/libxt_dscp.c
index adc78277..17433ef8 100644
--- a/extensions/libxt_dscp.c
+++ b/extensions/libxt_dscp.c
@@ -97,7 +97,7 @@ static int __dscp_xlate(const void *ip, const struct xt_entry_match *match,
 	const struct xt_dscp_info *dinfo =
 		(const struct xt_dscp_info *)match->data;
 
-	xt_xlate_add(xl, "dscp %s0x%02x ", dinfo->invert ? "!= " : "",
+	xt_xlate_add(xl, "dscp %s0x%02x", dinfo->invert ? "!= " : "",
 		     dinfo->dscp);
 
 	return 1;
-- 
cgit v1.2.3


From 7a0992da44cfb6cab0ccd1beadcf326df8773552 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sun, 24 Jul 2016 12:45:53 +0200
Subject: src: introduce struct xt_xlate_{mt,tg}_params

This structure is an extensible containers of parameters, so we don't
need to propagate interface updates in every extension file in case
we need to add new parameters in the future.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 extensions/libxt_dscp.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

(limited to 'extensions/libxt_dscp.c')

diff --git a/extensions/libxt_dscp.c b/extensions/libxt_dscp.c
index 17433ef8..d5c73236 100644
--- a/extensions/libxt_dscp.c
+++ b/extensions/libxt_dscp.c
@@ -91,11 +91,11 @@ static void dscp_save(const void *ip, const struct xt_entry_match *match)
 	printf("%s --dscp 0x%02x", dinfo->invert ? " !" : "", dinfo->dscp);
 }
 
-static int __dscp_xlate(const void *ip, const struct xt_entry_match *match,
-		      struct xt_xlate *xl, int numeric)
+static int __dscp_xlate(struct xt_xlate *xl,
+			const struct xt_xlate_mt_params *params)
 {
 	const struct xt_dscp_info *dinfo =
-		(const struct xt_dscp_info *)match->data;
+		(const struct xt_dscp_info *)params->match->data;
 
 	xt_xlate_add(xl, "dscp %s0x%02x", dinfo->invert ? "!= " : "",
 		     dinfo->dscp);
@@ -103,20 +103,20 @@ static int __dscp_xlate(const void *ip, const struct xt_entry_match *match,
 	return 1;
 }
 
-static int dscp_xlate(const void *ip, const struct xt_entry_match *match,
-		      struct xt_xlate *xl, int numeric)
+static int dscp_xlate(struct xt_xlate *xl,
+		      const struct xt_xlate_mt_params *params)
 {
 	xt_xlate_add(xl, "ip ");
 
-	return __dscp_xlate(ip, match, xl, numeric);
+	return __dscp_xlate(xl, params);
 }
 
-static int dscp_xlate6(const void *ip, const struct xt_entry_match *match,
-		      struct xt_xlate *xl, int numeric)
+static int dscp_xlate6(struct xt_xlate *xl,
+		       const struct xt_xlate_mt_params *params)
 {
 	xt_xlate_add(xl, "ip6 ");
 
-	return __dscp_xlate(ip, match, xl, numeric);
+	return __dscp_xlate(xl, params);
 }
 
 static struct xtables_match dscp_mt_reg[] = {
-- 
cgit v1.2.3