* [PATCH] extensions: libxt_CONNMARK.c: Add translation to nft
@ 2016-03-09 15:58 Bhumika Goyal
2016-03-09 16:52 ` Pablo Neira Ayuso
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Bhumika Goyal @ 2016-03-09 15:58 UTC (permalink / raw)
To: bhumirks, shivanib134, pablo, netfilter
Add translation for target CONNMARK to nftables.
Examples:
$ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 80 -j CONNMARK --save-mark
nft add rule ip mangle PREROUTING tcp dport 80 counter mark save nfmask 0xffffffff ctmask 0xffffffff
$ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 80 -j CONNMARK --restore-mark --mask 12
nft add rule ip mangle PREROUTING tcp dport 80 counter mark restore nfmask 0xc ctmask 0xc
$ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 22 -j CONNMARK --set-mark 2
nft add rule ip mangle PREROUTING tcp dport 22 counter mark set 0x2/0xffffffff
Signed-off-by: Bhumika Goyal <bhumirks@gmail.com>
---
extensions/libxt_CONNMARK.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
index 42cf207..e2dbf8d 100644
--- a/extensions/libxt_CONNMARK.c
+++ b/extensions/libxt_CONNMARK.c
@@ -347,6 +347,32 @@ connmark_tg_save(const void *ip, const struct xt_entry_target *target)
}
}
+static int
+connmark_tg_xlate(const struct xt_entry_target *target,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_connmark_tginfo1 *info = (const void *)target->data;
+
+ switch (info->mode) {
+ case XT_CONNMARK_SET:
+ xt_xlate_add(xl, "mark set 0x%x/0x%x", info->ctmark, info->ctmask);
+ break;
+ case XT_CONNMARK_SAVE:
+ xt_xlate_add(xl,"mark save nfmask 0x%x ctmask 0x%x",
+ info->nfmask, info->ctmask);
+ break;
+ case XT_CONNMARK_RESTORE:
+ xt_xlate_add(xl,"mark restore nfmask 0x%x ctmask 0x%x",
+ info->nfmask, info->ctmask);
+ break;
+ default:
+ /* Should not happen */
+ break;
+ }
+
+ return 1;
+}
+
static struct xtables_target connmark_tg_reg[] = {
{
.family = NFPROTO_UNSPEC,
@@ -362,6 +388,7 @@ static struct xtables_target connmark_tg_reg[] = {
.x6_parse = CONNMARK_parse,
.x6_fcheck = connmark_tg_check,
.x6_options = CONNMARK_opts,
+ .xlate = connmark_tg_xlate,
},
{
.version = XTABLES_VERSION,
@@ -377,6 +404,7 @@ static struct xtables_target connmark_tg_reg[] = {
.x6_parse = connmark_tg_parse,
.x6_fcheck = connmark_tg_check,
.x6_options = connmark_tg_opts,
+ .xlate = connmark_tg_xlate,
},
};
--
1.9.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] extensions: libxt_CONNMARK.c: Add translation to nft
2016-03-09 15:58 [PATCH] extensions: libxt_CONNMARK.c: Add translation to nft Bhumika Goyal
@ 2016-03-09 16:52 ` Pablo Neira Ayuso
2016-03-09 17:12 ` Bhumika Goyal
2016-03-09 17:03 ` Piyush Pangtey
2016-03-09 17:31 ` Shivani Bhardwaj
2 siblings, 1 reply; 9+ messages in thread
From: Pablo Neira Ayuso @ 2016-03-09 16:52 UTC (permalink / raw)
To: Bhumika Goyal; +Cc: shivanib134, netfilter
On Wed, Mar 09, 2016 at 09:28:53PM +0530, Bhumika Goyal wrote:
> Add translation for target CONNMARK to nftables.
>
> Examples:
>
> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 80 -j CONNMARK --save-mark
> nft add rule ip mangle PREROUTING tcp dport 80 counter mark save nfmask 0xffffffff ctmask 0xffffffff
>
> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 80 -j CONNMARK --restore-mark --mask 12
> nft add rule ip mangle PREROUTING tcp dport 80 counter mark restore nfmask 0xc ctmask 0xc
>
> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 22 -j CONNMARK --set-mark 2
> nft add rule ip mangle PREROUTING tcp dport 22 counter mark set 0x2/0xffffffff
>
> Signed-off-by: Bhumika Goyal <bhumirks@gmail.com>
> ---
> extensions/libxt_CONNMARK.c | 28 ++++++++++++++++++++++++++++
> 1 file changed, 28 insertions(+)
>
> diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
> index 42cf207..e2dbf8d 100644
> --- a/extensions/libxt_CONNMARK.c
> +++ b/extensions/libxt_CONNMARK.c
> @@ -347,6 +347,32 @@ connmark_tg_save(const void *ip, const struct xt_entry_target *target)
> }
> }
>
> +static int
> +connmark_tg_xlate(const struct xt_entry_target *target,
> + struct xt_xlate *xl, int numeric)
> +{
> + const struct xt_connmark_tginfo1 *info = (const void *)target->data;
> +
> + switch (info->mode) {
> + case XT_CONNMARK_SET:
> + xt_xlate_add(xl, "mark set 0x%x/0x%x", info->ctmark, info->ctmask);
> + break;
> + case XT_CONNMARK_SAVE:
> + xt_xlate_add(xl,"mark save nfmask 0x%x ctmask 0x%x",
> + info->nfmask, info->ctmask);
> + break;
> + case XT_CONNMARK_RESTORE:
> + xt_xlate_add(xl,"mark restore nfmask 0x%x ctmask 0x%x",
> + info->nfmask, info->ctmask);
This translation is not correct.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] extensions: libxt_CONNMARK.c: Add translation to nft
2016-03-09 15:58 [PATCH] extensions: libxt_CONNMARK.c: Add translation to nft Bhumika Goyal
2016-03-09 16:52 ` Pablo Neira Ayuso
@ 2016-03-09 17:03 ` Piyush Pangtey
2016-03-09 17:20 ` Bhumika Goyal
2016-03-09 17:31 ` Shivani Bhardwaj
2 siblings, 1 reply; 9+ messages in thread
From: Piyush Pangtey @ 2016-03-09 17:03 UTC (permalink / raw)
To: Bhumika Goyal; +Cc: netfilter
Hello Bhumika,
On Wednesday 09 March 2016 09:28 PM, Bhumika Goyal wrote:
> Add translation for target CONNMARK to nftables.
>
> Examples:
>
> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 80 -j CONNMARK --save-mark
> nft add rule ip mangle PREROUTING tcp dport 80 counter mark save nfmask 0xffffffff ctmask 0xffffffff
>
> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 80 -j CONNMARK --restore-mark --mask 12
> nft add rule ip mangle PREROUTING tcp dport 80 counter mark restore nfmask 0xc ctmask 0xc
>
> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 22 -j CONNMARK --set-mark 2
> nft add rule ip mangle PREROUTING tcp dport 22 counter mark set 0x2/0xffffffff
^^^^^^^^^^^^^^
this does not work
> Signed-off-by: Bhumika Goyal <bhumirks@gmail.com>
> ---
> extensions/libxt_CONNMARK.c | 28 ++++++++++++++++++++++++++++
> 1 file changed, 28 insertions(+)
>
> diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
> index 42cf207..e2dbf8d 100644
> --- a/extensions/libxt_CONNMARK.c
> +++ b/extensions/libxt_CONNMARK.c
> @@ -347,6 +347,32 @@ connmark_tg_save(const void *ip, const struct xt_entry_target *target)
> }
> }
>
> +static int
> +connmark_tg_xlate(const struct xt_entry_target *target,
> + struct xt_xlate *xl, int numeric)
> +{
> + const struct xt_connmark_tginfo1 *info = (const void *)target->data;
> +
> + switch (info->mode) {
> + case XT_CONNMARK_SET:
> + xt_xlate_add(xl, "mark set 0x%x/0x%x", info->ctmark, info->ctmask);
> + break;
> + case XT_CONNMARK_SAVE:
> + xt_xlate_add(xl,"mark save nfmask 0x%x ctmask 0x%x",
^
missing space here
> + info->nfmask, info->ctmask);
> + break;
> + case XT_CONNMARK_RESTORE:
> + xt_xlate_add(xl,"mark restore nfmask 0x%x ctmask 0x%x",
^
missing space here
> + info->nfmask, info->ctmask);
> + break;
> + default:
> + /* Should not happen */
^^^^^^^^^^^^^^^^^^^^^^^
this comment is not meaningfull
> + break;
> + }
> +
> + return 1;
> +}
> +
> static struct xtables_target connmark_tg_reg[] = {
> {
> .family = NFPROTO_UNSPEC,
> @@ -362,6 +388,7 @@ static struct xtables_target connmark_tg_reg[] = {
> .x6_parse = CONNMARK_parse,
> .x6_fcheck = connmark_tg_check,
> .x6_options = CONNMARK_opts,
> + .xlate = connmark_tg_xlate,
> },
> {
> .version = XTABLES_VERSION,
> @@ -377,6 +404,7 @@ static struct xtables_target connmark_tg_reg[] = {
> .x6_parse = connmark_tg_parse,
> .x6_fcheck = connmark_tg_check,
> .x6_options = connmark_tg_opts,
> + .xlate = connmark_tg_xlate,
> },
> };
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH] extensions: libxt_CONNMARK.c: Add translation to nft
@ 2016-03-09 17:07 Bhumika Goyal
0 siblings, 0 replies; 9+ messages in thread
From: Bhumika Goyal @ 2016-03-09 17:07 UTC (permalink / raw)
To: bhumirks, outreachy-kernel
Add translation for target CONNMARK to nftables.
Examples:
$ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 80 -j CONNMARK --save-mark
nft add rule ip mangle PREROUTING tcp dport 80 counter mark save nfmask 0xffffffff ctmask 0xffffffff
$ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 80 -j CONNMARK --restore-mark --mask 12
nft add rule ip mangle PREROUTING tcp dport 80 counter mark restore nfmask 0xc ctmask 0xc
$ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 22 -j CONNMARK --set-mark 2
nft add rule ip mangle PREROUTING tcp dport 22 counter mark set 0x2/0xffffffff
Signed-off-by: Bhumika Goyal <bhumirks@gmail.com>
---
extensions/libxt_CONNMARK.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
index 42cf207..e2dbf8d 100644
--- a/extensions/libxt_CONNMARK.c
+++ b/extensions/libxt_CONNMARK.c
@@ -347,6 +347,32 @@ connmark_tg_save(const void *ip, const struct xt_entry_target *target)
}
}
+static int
+connmark_tg_xlate(const struct xt_entry_target *target,
+ struct xt_xlate *xl, int numeric)
+{
+ const struct xt_connmark_tginfo1 *info = (const void *)target->data;
+
+ switch (info->mode) {
+ case XT_CONNMARK_SET:
+ xt_xlate_add(xl, "mark set 0x%x/0x%x", info->ctmark, info->ctmask);
+ break;
+ case XT_CONNMARK_SAVE:
+ xt_xlate_add(xl,"mark save nfmask 0x%x ctmask 0x%x",
+ info->nfmask, info->ctmask);
+ break;
+ case XT_CONNMARK_RESTORE:
+ xt_xlate_add(xl,"mark restore nfmask 0x%x ctmask 0x%x",
+ info->nfmask, info->ctmask);
+ break;
+ default:
+ /* Should not happen */
+ break;
+ }
+
+ return 1;
+}
+
static struct xtables_target connmark_tg_reg[] = {
{
.family = NFPROTO_UNSPEC,
@@ -362,6 +388,7 @@ static struct xtables_target connmark_tg_reg[] = {
.x6_parse = CONNMARK_parse,
.x6_fcheck = connmark_tg_check,
.x6_options = CONNMARK_opts,
+ .xlate = connmark_tg_xlate,
},
{
.version = XTABLES_VERSION,
@@ -377,6 +404,7 @@ static struct xtables_target connmark_tg_reg[] = {
.x6_parse = connmark_tg_parse,
.x6_fcheck = connmark_tg_check,
.x6_options = connmark_tg_opts,
+ .xlate = connmark_tg_xlate,
},
};
--
1.9.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] extensions: libxt_CONNMARK.c: Add translation to nft
2016-03-09 16:52 ` Pablo Neira Ayuso
@ 2016-03-09 17:12 ` Bhumika Goyal
2016-03-09 17:28 ` Pablo Neira Ayuso
0 siblings, 1 reply; 9+ messages in thread
From: Bhumika Goyal @ 2016-03-09 17:12 UTC (permalink / raw)
To: Pablo Neira Ayuso, outreachy-kernel; +Cc: Shivani Bhardwaj, netfilter
On Wed, Mar 9, 2016 at 10:22 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Wed, Mar 09, 2016 at 09:28:53PM +0530, Bhumika Goyal wrote:
>> Add translation for target CONNMARK to nftables.
>>
>> Examples:
>>
>> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 80 -j CONNMARK --save-mark
>> nft add rule ip mangle PREROUTING tcp dport 80 counter mark save nfmask 0xffffffff ctmask 0xffffffff
>>
>> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 80 -j CONNMARK --restore-mark --mask 12
>> nft add rule ip mangle PREROUTING tcp dport 80 counter mark restore nfmask 0xc ctmask 0xc
>>
>> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 22 -j CONNMARK --set-mark 2
>> nft add rule ip mangle PREROUTING tcp dport 22 counter mark set 0x2/0xffffffff
>>
>> Signed-off-by: Bhumika Goyal <bhumirks@gmail.com>
>> ---
>> extensions/libxt_CONNMARK.c | 28 ++++++++++++++++++++++++++++
>> 1 file changed, 28 insertions(+)
>>
>> diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
>> index 42cf207..e2dbf8d 100644
>> --- a/extensions/libxt_CONNMARK.c
>> +++ b/extensions/libxt_CONNMARK.c
>> @@ -347,6 +347,32 @@ connmark_tg_save(const void *ip, const struct xt_entry_target *target)
>> }
>> }
>>
>> +static int
>> +connmark_tg_xlate(const struct xt_entry_target *target,
>> + struct xt_xlate *xl, int numeric)
>> +{
>> + const struct xt_connmark_tginfo1 *info = (const void *)target->data;
>> +
>> + switch (info->mode) {
>> + case XT_CONNMARK_SET:
>> + xt_xlate_add(xl, "mark set 0x%x/0x%x", info->ctmark, info->ctmask);
>> + break;
>> + case XT_CONNMARK_SAVE:
>> + xt_xlate_add(xl,"mark save nfmask 0x%x ctmask 0x%x",
>> + info->nfmask, info->ctmask);
>> + break;
>> + case XT_CONNMARK_RESTORE:
>> + xt_xlate_add(xl,"mark restore nfmask 0x%x ctmask 0x%x",
>> + info->nfmask, info->ctmask);
>
> This translation is not correct.
>
Thanks for the feedback. Could you please tell me the mistake as I am
not able to figure out my mistake?
Thanks,
Bhumika
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] extensions: libxt_CONNMARK.c: Add translation to nft
2016-03-09 17:03 ` Piyush Pangtey
@ 2016-03-09 17:20 ` Bhumika Goyal
0 siblings, 0 replies; 9+ messages in thread
From: Bhumika Goyal @ 2016-03-09 17:20 UTC (permalink / raw)
To: Piyush Pangtey; +Cc: netfilter
On Wed, Mar 9, 2016 at 10:33 PM, Piyush Pangtey <gokuvsvegita@gmail.com> wrote:
> Hello Bhumika,
>
> On Wednesday 09 March 2016 09:28 PM, Bhumika Goyal wrote:
>> Add translation for target CONNMARK to nftables.
>>
>> Examples:
>>
>> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 80 -j CONNMARK --save-mark
>> nft add rule ip mangle PREROUTING tcp dport 80 counter mark save nfmask 0xffffffff ctmask 0xffffffff
>>
>> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 80 -j CONNMARK --restore-mark --mask 12
>> nft add rule ip mangle PREROUTING tcp dport 80 counter mark restore nfmask 0xc ctmask 0xc
>>
>> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 22 -j CONNMARK --set-mark 2
>> nft add rule ip mangle PREROUTING tcp dport 22 counter mark set 0x2/0xffffffff
> ^^^^^^^^^^^^^^
> this does not work
Thanks for the feedback.
Does the other two translations for --save-mark and --restore-mark look ok?
Please suggest me the improvement for the --set-mark translation.
>> Signed-off-by: Bhumika Goyal <bhumirks@gmail.com>
>> ---
>> extensions/libxt_CONNMARK.c | 28 ++++++++++++++++++++++++++++
>> 1 file changed, 28 insertions(+)
>>
>> diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
>> index 42cf207..e2dbf8d 100644
>> --- a/extensions/libxt_CONNMARK.c
>> +++ b/extensions/libxt_CONNMARK.c
>> @@ -347,6 +347,32 @@ connmark_tg_save(const void *ip, const struct xt_entry_target *target)
>> }
>> }
>>
>> +static int
>> +connmark_tg_xlate(const struct xt_entry_target *target,
>> + struct xt_xlate *xl, int numeric)
>> +{
>> + const struct xt_connmark_tginfo1 *info = (const void *)target->data;
>> +
>> + switch (info->mode) {
>> + case XT_CONNMARK_SET:
>> + xt_xlate_add(xl, "mark set 0x%x/0x%x", info->ctmark, info->ctmask);
>> + break;
>> + case XT_CONNMARK_SAVE:
>> + xt_xlate_add(xl,"mark save nfmask 0x%x ctmask 0x%x",
> ^
> missing space here
>
>> + info->nfmask, info->ctmask);
>> + break;
>> + case XT_CONNMARK_RESTORE:
>> + xt_xlate_add(xl,"mark restore nfmask 0x%x ctmask 0x%x",
> ^
> missing space here
>
>> + info->nfmask, info->ctmask);
>> + break;
>> + default:
>> + /* Should not happen */
> ^^^^^^^^^^^^^^^^^^^^^^^
> this comment is not meaningfull
>
Ok I will remove the comment.
Thanks,
Bhumika
>> + break;
>> + }
>> +
>> + return 1;
>> +}
>> +
>> static struct xtables_target connmark_tg_reg[] = {
>> {
>> .family = NFPROTO_UNSPEC,
>> @@ -362,6 +388,7 @@ static struct xtables_target connmark_tg_reg[] = {
>> .x6_parse = CONNMARK_parse,
>> .x6_fcheck = connmark_tg_check,
>> .x6_options = CONNMARK_opts,
>> + .xlate = connmark_tg_xlate,
>> },
>> {
>> .version = XTABLES_VERSION,
>> @@ -377,6 +404,7 @@ static struct xtables_target connmark_tg_reg[] = {
>> .x6_parse = connmark_tg_parse,
>> .x6_fcheck = connmark_tg_check,
>> .x6_options = connmark_tg_opts,
>> + .xlate = connmark_tg_xlate,
>> },
>> };
>>
>>
>
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] extensions: libxt_CONNMARK.c: Add translation to nft
2016-03-09 17:12 ` Bhumika Goyal
@ 2016-03-09 17:28 ` Pablo Neira Ayuso
2016-03-09 18:08 ` Bhumika Goyal
0 siblings, 1 reply; 9+ messages in thread
From: Pablo Neira Ayuso @ 2016-03-09 17:28 UTC (permalink / raw)
To: Bhumika Goyal; +Cc: outreachy-kernel, Shivani Bhardwaj, netfilter
On Wed, Mar 09, 2016 at 10:42:13PM +0530, Bhumika Goyal wrote:
> On Wed, Mar 9, 2016 at 10:22 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Wed, Mar 09, 2016 at 09:28:53PM +0530, Bhumika Goyal wrote:
> >> Add translation for target CONNMARK to nftables.
> >>
> >> Examples:
> >>
> >> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 80 -j CONNMARK --save-mark
> >> nft add rule ip mangle PREROUTING tcp dport 80 counter mark save nfmask 0xffffffff ctmask 0xffffffff
> >>
> >> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 80 -j CONNMARK --restore-mark --mask 12
> >> nft add rule ip mangle PREROUTING tcp dport 80 counter mark restore nfmask 0xc ctmask 0xc
> >>
> >> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 22 -j CONNMARK --set-mark 2
> >> nft add rule ip mangle PREROUTING tcp dport 22 counter mark set 0x2/0xffffffff
> >>
> >> Signed-off-by: Bhumika Goyal <bhumirks@gmail.com>
> >> ---
> >> extensions/libxt_CONNMARK.c | 28 ++++++++++++++++++++++++++++
> >> 1 file changed, 28 insertions(+)
> >>
> >> diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
> >> index 42cf207..e2dbf8d 100644
> >> --- a/extensions/libxt_CONNMARK.c
> >> +++ b/extensions/libxt_CONNMARK.c
> >> @@ -347,6 +347,32 @@ connmark_tg_save(const void *ip, const struct xt_entry_target *target)
> >> }
> >> }
> >>
> >> +static int
> >> +connmark_tg_xlate(const struct xt_entry_target *target,
> >> + struct xt_xlate *xl, int numeric)
> >> +{
> >> + const struct xt_connmark_tginfo1 *info = (const void *)target->data;
> >> +
> >> + switch (info->mode) {
> >> + case XT_CONNMARK_SET:
> >> + xt_xlate_add(xl, "mark set 0x%x/0x%x", info->ctmark, info->ctmask);
> >> + break;
> >> + case XT_CONNMARK_SAVE:
> >> + xt_xlate_add(xl,"mark save nfmask 0x%x ctmask 0x%x",
> >> + info->nfmask, info->ctmask);
> >> + break;
> >> + case XT_CONNMARK_RESTORE:
> >> + xt_xlate_add(xl,"mark restore nfmask 0x%x ctmask 0x%x",
> >> + info->nfmask, info->ctmask);
> >
> > This translation is not correct.
> >
>
> Thanks for the feedback. Could you please tell me the mistake as I am
> not able to figure out my mistake?
You have to test your translations, to make sure they work fine with
nft:
# nft add rule filter PREROUTING nft add rule ip mangle PREROUTING tcp dport 80 counter mark restore nfmask 0xc ctmask 0xc
<cmdline>:1:32-34: Error: syntax error, unexpected add
add rule filter PREROUTING nft add rule ip mangle PREROUTING tcp dport
80 counter mark restore nfmask 0xc ctmask 0xc
^^^
This syntax is not correct. Please, have a look at the wiki and
investigate how to translate this. Thanks.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] extensions: libxt_CONNMARK.c: Add translation to nft
2016-03-09 15:58 [PATCH] extensions: libxt_CONNMARK.c: Add translation to nft Bhumika Goyal
2016-03-09 16:52 ` Pablo Neira Ayuso
2016-03-09 17:03 ` Piyush Pangtey
@ 2016-03-09 17:31 ` Shivani Bhardwaj
2 siblings, 0 replies; 9+ messages in thread
From: Shivani Bhardwaj @ 2016-03-09 17:31 UTC (permalink / raw)
To: Bhumika Goyal, outreachy-kernel; +Cc: Pablo Neira Ayuso, netfilter
On Wed, Mar 9, 2016 at 9:28 PM, Bhumika Goyal <bhumirks@gmail.com> wrote:
> Add translation for target CONNMARK to nftables.
>
Hi Bhumika,
> Examples:
>
> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 80 -j CONNMARK --save-mark
> nft add rule ip mangle PREROUTING tcp dport 80 counter mark save nfmask 0xffffffff ctmask 0xffffffff
>
> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 80 -j CONNMARK --restore-mark --mask 12
> nft add rule ip mangle PREROUTING tcp dport 80 counter mark restore nfmask 0xc ctmask 0xc
>
> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 22 -j CONNMARK --set-mark 2
> nft add rule ip mangle PREROUTING tcp dport 22 counter mark set 0x2/0xffffffff
>
In nftables, I'm seeing mangle supporting only chains with hook
output, let Pablo comment about this.
I'm giving you an example using output chain only.
For the rules that you've written above, say rule 1
nft add rule ip mangle OUTPUT tcp dport 80 counter mark save nfmask
0xffffffff ctmask 0xffffffff
You should carry out the testing as follows:
$ sudo nft add table mangle
$ sudo nft add chain mangle OUTPUT { type route hook output priority 0\;}
$ sudo <your rule goes here>
Now, if nftables does not throw any errors, may be your translation is
correct then, this however throws errors. Look out for correct
translation code.
Hint: http://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation
Thanks.
> Signed-off-by: Bhumika Goyal <bhumirks@gmail.com>
> ---
> extensions/libxt_CONNMARK.c | 28 ++++++++++++++++++++++++++++
> 1 file changed, 28 insertions(+)
>
> diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
> index 42cf207..e2dbf8d 100644
> --- a/extensions/libxt_CONNMARK.c
> +++ b/extensions/libxt_CONNMARK.c
> @@ -347,6 +347,32 @@ connmark_tg_save(const void *ip, const struct xt_entry_target *target)
> }
> }
>
> +static int
> +connmark_tg_xlate(const struct xt_entry_target *target,
> + struct xt_xlate *xl, int numeric)
> +{
> + const struct xt_connmark_tginfo1 *info = (const void *)target->data;
> +
> + switch (info->mode) {
> + case XT_CONNMARK_SET:
> + xt_xlate_add(xl, "mark set 0x%x/0x%x", info->ctmark, info->ctmask);
> + break;
> + case XT_CONNMARK_SAVE:
> + xt_xlate_add(xl,"mark save nfmask 0x%x ctmask 0x%x",
> + info->nfmask, info->ctmask);
> + break;
> + case XT_CONNMARK_RESTORE:
> + xt_xlate_add(xl,"mark restore nfmask 0x%x ctmask 0x%x",
> + info->nfmask, info->ctmask);
> + break;
> + default:
> + /* Should not happen */
> + break;
> + }
> +
> + return 1;
> +}
> +
> static struct xtables_target connmark_tg_reg[] = {
> {
> .family = NFPROTO_UNSPEC,
> @@ -362,6 +388,7 @@ static struct xtables_target connmark_tg_reg[] = {
> .x6_parse = CONNMARK_parse,
> .x6_fcheck = connmark_tg_check,
> .x6_options = CONNMARK_opts,
> + .xlate = connmark_tg_xlate,
> },
> {
> .version = XTABLES_VERSION,
> @@ -377,6 +404,7 @@ static struct xtables_target connmark_tg_reg[] = {
> .x6_parse = connmark_tg_parse,
> .x6_fcheck = connmark_tg_check,
> .x6_options = connmark_tg_opts,
> + .xlate = connmark_tg_xlate,
> },
> };
>
> --
> 1.9.1
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] extensions: libxt_CONNMARK.c: Add translation to nft
2016-03-09 17:28 ` Pablo Neira Ayuso
@ 2016-03-09 18:08 ` Bhumika Goyal
0 siblings, 0 replies; 9+ messages in thread
From: Bhumika Goyal @ 2016-03-09 18:08 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: outreachy-kernel, Shivani Bhardwaj, netfilter
On Wed, Mar 9, 2016 at 10:58 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Wed, Mar 09, 2016 at 10:42:13PM +0530, Bhumika Goyal wrote:
>> On Wed, Mar 9, 2016 at 10:22 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>> > On Wed, Mar 09, 2016 at 09:28:53PM +0530, Bhumika Goyal wrote:
>> >> Add translation for target CONNMARK to nftables.
>> >>
>> >> Examples:
>> >>
>> >> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 80 -j CONNMARK --save-mark
>> >> nft add rule ip mangle PREROUTING tcp dport 80 counter mark save nfmask 0xffffffff ctmask 0xffffffff
>> >>
>> >> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 80 -j CONNMARK --restore-mark --mask 12
>> >> nft add rule ip mangle PREROUTING tcp dport 80 counter mark restore nfmask 0xc ctmask 0xc
>> >>
>> >> $ sudo iptables-translate -t mangle -A PREROUTING -p tcp --dport 22 -j CONNMARK --set-mark 2
>> >> nft add rule ip mangle PREROUTING tcp dport 22 counter mark set 0x2/0xffffffff
>> >>
>> >> Signed-off-by: Bhumika Goyal <bhumirks@gmail.com>
>> >> ---
>> >> extensions/libxt_CONNMARK.c | 28 ++++++++++++++++++++++++++++
>> >> 1 file changed, 28 insertions(+)
>> >>
>> >> diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
>> >> index 42cf207..e2dbf8d 100644
>> >> --- a/extensions/libxt_CONNMARK.c
>> >> +++ b/extensions/libxt_CONNMARK.c
>> >> @@ -347,6 +347,32 @@ connmark_tg_save(const void *ip, const struct xt_entry_target *target)
>> >> }
>> >> }
>> >>
>> >> +static int
>> >> +connmark_tg_xlate(const struct xt_entry_target *target,
>> >> + struct xt_xlate *xl, int numeric)
>> >> +{
>> >> + const struct xt_connmark_tginfo1 *info = (const void *)target->data;
>> >> +
>> >> + switch (info->mode) {
>> >> + case XT_CONNMARK_SET:
>> >> + xt_xlate_add(xl, "mark set 0x%x/0x%x", info->ctmark, info->ctmask);
>> >> + break;
>> >> + case XT_CONNMARK_SAVE:
>> >> + xt_xlate_add(xl,"mark save nfmask 0x%x ctmask 0x%x",
>> >> + info->nfmask, info->ctmask);
>> >> + break;
>> >> + case XT_CONNMARK_RESTORE:
>> >> + xt_xlate_add(xl,"mark restore nfmask 0x%x ctmask 0x%x",
>> >> + info->nfmask, info->ctmask);
>> >
>> > This translation is not correct.
>> >
>>
>> Thanks for the feedback. Could you please tell me the mistake as I am
>> not able to figure out my mistake?
>
> You have to test your translations, to make sure they work fine with
> nft:
>
> # nft add rule filter PREROUTING nft add rule ip mangle PREROUTING tcp dport 80 counter mark restore nfmask 0xc ctmask 0xc
> <cmdline>:1:32-34: Error: syntax error, unexpected add
> add rule filter PREROUTING nft add rule ip mangle PREROUTING tcp dport
> 80 counter mark restore nfmask 0xc ctmask 0xc
> ^^^
>
> This syntax is not correct. Please, have a look at the wiki and
> investigate how to translate this. Thanks.
Ok. I will read more on the wiki and then try to correct it.
Thanks,
Bhumika
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2016-03-09 18:08 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-09 15:58 [PATCH] extensions: libxt_CONNMARK.c: Add translation to nft Bhumika Goyal
2016-03-09 16:52 ` Pablo Neira Ayuso
2016-03-09 17:12 ` Bhumika Goyal
2016-03-09 17:28 ` Pablo Neira Ayuso
2016-03-09 18:08 ` Bhumika Goyal
2016-03-09 17:03 ` Piyush Pangtey
2016-03-09 17:20 ` Bhumika Goyal
2016-03-09 17:31 ` Shivani Bhardwaj
-- strict thread matches above, loose matches on Subject: below --
2016-03-09 17:07 Bhumika Goyal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.