static int rt_xlate(const struct xt_entry_match *match, struct xt_xlate *xl,
int numeric)
{
const struct ip6t_rt *rtinfo = (struct ip6t_rt *)match->data;
if (rtinfo->flags & IP6T_RT_TYP) {
xt_xlate_add(xl, "rt type%s %u ",
(rtinfo->invflags & IP6T_RT_INV_TYP) ? " !=" : "",
rtinfo->rt_type);
}
if (!(rtinfo->segsleft[0] == 0 && rtinfo->segsleft[1] == 0xFFFFFFFF)) {
xt_xlate_add(xl, "rt seg-left%s ",
(rtinfo->invflags & IP6T_RT_INV_SGS) ? " !=" : "");
if (rtinfo->segsleft[0] != rtinfo->segsleft[1])
xt_xlate_add(xl, "%u-%u ", rtinfo->segsleft[0],
rtinfo->segsleft[1]);
else
xt_xlate_add(xl, "%u ", rtinfo->segsleft[0]);
}
if (rtinfo->flags & IP6T_RT_LEN) {
xt_xlate_add(xl, "rt hdrlength%s %u ",
(rtinfo->invflags & IP6T_RT_INV_LEN) ? " !=" : "",
rtinfo->hdrlen);
}
if (rtinfo->flags & (IP6T_RT_RES | IP6T_RT_FST | IP6T_RT_FST_NSTRICT))
return 0;
return 1;
}
static int connlabel_mt_xlate(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
const struct xt_connlabel_mtinfo *info =
(const void *)params->match->data;
const char *name = connlabel_get_name(info->bit);
char *valbuf = NULL;
if (name == NULL) {
if (asprintf(&valbuf, "%u", info->bit) < 0)
return 0;
name = valbuf;
}
if (info->options & XT_CONNLABEL_OP_SET)
xt_xlate_add(xl, "ct label set %s ", name);
xt_xlate_add(xl, "ct label ");
if (info->options & XT_CONNLABEL_OP_INVERT)
xt_xlate_add(xl, "and %s != ", name);
xt_xlate_add(xl, "%s", name);
free(valbuf);
return 1;
}
static void print_mark_xlate(unsigned int mark, unsigned int mask,
struct xt_xlate *xl, uint32_t op)
{
if (mask != 0xffffffffU)
xt_xlate_add(xl, " and 0x%x %s 0x%x ", mark,
op == XT_OP_EQ ? "==" : "!=", mask);
else
xt_xlate_add(xl, " %s0x%x ",
op == XT_OP_EQ ? "" : "!= ", mark);
}
static int length_xlate(const struct xt_entry_match *match,
struct xt_xlate *xl, int numeric)
{
const struct xt_length_info *info = (void *)match->data;
xt_xlate_add(xl, "meta length %s", info->invert ? "!= " : "");
if (info->min == info->max)
xt_xlate_add(xl, "%u ", info->min);
else
xt_xlate_add(xl, "%u-%u ", info->min, info->max);
return 1;
}
static void print_pkttype_xlate(const struct xt_pkttype_info *info,
struct xt_xlate *xl)
{
unsigned int i;
for (i = 0; i < ARRAY_SIZE(supported_types_xlate); ++i) {
if (supported_types_xlate[i].pkttype == info->pkttype) {
xt_xlate_add(xl, "%s ", supported_types_xlate[i].name);
return;
}
}
xt_xlate_add(xl, "%d", info->pkttype);
}
static int
owner_mt_print_gid_xlate(const struct xt_owner_match_info *info,
struct xt_xlate *xl)
{
xt_xlate_add(xl, "skgid%s ", info->invert ? " !=" : "");
if (info->gid_min != info->gid_max)
xt_xlate_add(xl, "%u-%u ", (unsigned int)info->gid_min,
(unsigned int)info->gid_max);
else
xt_xlate_add(xl, "%u ", (unsigned int)info->gid_min);
return 1;
}
static int NFQUEUE_xlate_v1(const struct xt_entry_target *target,
struct xt_xlate *xl, int numeric)
{
const struct xt_NFQ_info_v1 *tinfo = (const void *)target->data;
unsigned int last = tinfo->queues_total;
if (last > 1) {
last += tinfo->queuenum - 1;
xt_xlate_add(xl, "queue num %u-%u ", tinfo->queuenum, last);
} else {
xt_xlate_add(xl, "queue num %u ", tinfo->queuenum);
}
return 1;
}
static int tee_tg6_xlate(const void *ip, const struct xt_entry_target *target,
struct xt_xlate *xl, int numeric)
{
const struct xt_tee_tginfo *info = (const void *)target->data;
if (numeric)
xt_xlate_add(xl, "dup to %s",
xtables_ip6addr_to_numeric(&info->gw.in6));
else
xt_xlate_add(xl, "dup to %s",
xtables_ip6addr_to_anyname(&info->gw.in6));
if (*info->oif != '\0')
xt_xlate_add(xl, " device %s", info->oif);
return 1;
}
static int cgroup_xlate_v0(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
const struct xt_cgroup_info_v0 *info = (void *)params->match->data;
xt_xlate_add(xl, "meta cgroup %s%u", info->invert ? "!= " : "",
info->id);
return 1;
}
static int pkttype_xlate(const struct xt_entry_match *match,
struct xt_xlate *xl, int numeric)
{
const struct xt_pkttype_info *info = (const void *)match->data;
xt_xlate_add(xl, "pkttype%s ", info->invert ? " !=" : "");
print_pkttype_xlate(info, xl);
return 1;
}
static void print_range_xlate(const struct nf_nat_ipv4_range *r,
struct xt_xlate *xl)
{
if (r->flags & NF_NAT_RANGE_MAP_IPS) {
struct in_addr a;
a.s_addr = r->min_ip;
xt_xlate_add(xl, "%s", xtables_ipaddr_to_numeric(&a));
if (r->max_ip != r->min_ip) {
a.s_addr = r->max_ip;
xt_xlate_add(xl, "-%s", xtables_ipaddr_to_numeric(&a));
}
}
if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
xt_xlate_add(xl, ":%hu", ntohs(r->min.tcp.port));
if (r->max.tcp.port != r->min.tcp.port)
xt_xlate_add(xl, "-%hu", ntohs(r->max.tcp.port));
}
}
static int nft_rule_eb_xlate_add(struct nft_handle *h, const struct nft_xt_cmd_parse *p,
const struct iptables_command_state *cs, bool append)
{
struct xt_xlate *xl = xt_xlate_alloc(10240);
int ret;
if (append) {
xt_xlate_add(xl, "add rule bridge %s %s ", p->table, p->chain);
} else {
xt_xlate_add(xl, "insert rule bridge %s %s ", p->table, p->chain);
}
ret = h->ops->xlate(cs, xl);
if (ret)
printf("%s\n", xt_xlate_get(xl));
xt_xlate_free(xl);
return ret;
}
static int NFQUEUE_xlate(const void *ip, const struct xt_entry_target *target,
struct xt_xlate *xl, int numeric)
{
const struct xt_NFQ_info *tinfo =
(const struct xt_NFQ_info *)target->data;
xt_xlate_add(xl, "queue num %u ", tinfo->queuenum);
return 1;
}
static int
MASQUERADE_xlate(const void *ip, const struct xt_entry_target *target,
struct xt_xlate *xl, int numeric)
{
const struct nf_nat_range *r = (const void *)target->data;
xt_xlate_add(xl, "masquerade");
if (r->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
xt_xlate_add(xl, " to :%hu", ntohs(r->min_proto.tcp.port));
if (r->max_proto.tcp.port != r->min_proto.tcp.port)
xt_xlate_add(xl, "-%hu", ntohs(r->max_proto.tcp.port));
}
xt_xlate_add(xl, " ");
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
xt_xlate_add(xl, "random ");
return 1;
}
static int NFQUEUE_xlate_v3(const struct xt_entry_target *target,
struct xt_xlate *xl, int numeric)
{
const struct xt_NFQ_info_v3 *info = (void *)target->data;
NFQUEUE_xlate_v2(target, xl, numeric);
if (info->flags & NFQ_FLAG_CPU_FANOUT)
xt_xlate_add(xl, "%sfanout ", info->flags & NFQ_FLAG_BYPASS ? "," : "");
return 1;
}
static int brlog_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct ebt_log_info *loginfo = (const void *)params->target->data;
xt_xlate_add(xl, "log");
if (loginfo->prefix[0]) {
if (params->escape_quotes)
xt_xlate_add(xl, " prefix \\\"%s\\\"", loginfo->prefix);
else
xt_xlate_add(xl, " prefix \"%s\"", loginfo->prefix);
}
if (loginfo->loglevel != LOG_DEFAULT_LEVEL)
xt_xlate_add(xl, " level %s", eight_priority[loginfo->loglevel].c_name);
xt_xlate_add(xl, " flags ether ");
return 1;
}
static void
print_realm_xlate(unsigned long id, unsigned long mask,
int numeric, struct xt_xlate *xl, uint32_t op)
{
const char *name = NULL;
if (mask != 0xffffffff)
xt_xlate_add(xl, " and 0x%lx %s 0x%lx", mask,
op == XT_OP_EQ ? "==" : "!=", id);
else {
if (numeric == 0)
name = xtables_lmap_id2name(realms, id);
if (name)
xt_xlate_add(xl, "%s%s",
op == XT_OP_EQ ? "" : "!= ", name);
else
xt_xlate_add(xl, " %s0x%lx",
op == XT_OP_EQ ? "" : "!= ", id);
}
}
static void
print_devgroup_xlate(unsigned int id, uint32_t op, unsigned int mask,
struct xt_xlate *xl, int numeric)
{
const char *name = NULL;
if (mask != 0xffffffff)
xt_xlate_add(xl, "and 0x%x %s 0x%x", mask,
op == XT_OP_EQ ? "==" : "!=", id);
else {
if (numeric == 0)
name = xtables_lmap_id2name(devgroups, id);
xt_xlate_add(xl, "%s", op == XT_OP_EQ ? "" : "!= ");
if (name)
xt_xlate_add(xl, "%s", name);
else
xt_xlate_add(xl, "0x%x", id);
}
}
static int NFQUEUE_xlate_v2(const struct xt_entry_target *target,
struct xt_xlate *xl, int numeric)
{
const struct xt_NFQ_info_v2 *info = (void *) target->data;
NFQUEUE_xlate_v1(target, xl, numeric);
if (info->bypass & NFQ_FLAG_BYPASS)
xt_xlate_add(xl, "bypass");
return 1;
}
static void
print_iprange_xlate(const struct ipt_iprange *range,
struct xt_xlate *xl)
{
const unsigned char *byte_min, *byte_max;
byte_min = (const unsigned char *)&range->min_ip;
byte_max = (const unsigned char *)&range->max_ip;
xt_xlate_add(xl, " %u.%u.%u.%u-%u.%u.%u.%u ",
byte_min[0], byte_min[1], byte_min[2], byte_min[3],
byte_max[0], byte_max[1], byte_max[2], byte_max[3]);
}
static int iprange_mt6_xlate(const void *ip, const struct xt_entry_match *match,
struct xt_xlate *xl, int numeric)
{
const struct xt_iprange_mtinfo *info = (const void *)match->data;
char *space = "";
if (info->flags & IPRANGE_SRC) {
if (info->flags & IPRANGE_SRC_INV)
xt_xlate_add(xl, "!= ");
xt_xlate_add(xl, "ip saddr %s",
xtables_ip6addr_to_numeric(&info->src_min.in6));
xt_xlate_add(xl, "-%s",
xtables_ip6addr_to_numeric(&info->src_max.in6));
space = " ";
}
if (info->flags & IPRANGE_DST) {
if (info->flags & IPRANGE_DST_INV) {
xt_xlate_add(xl, "%s!= ", space);
space = "";
}
xt_xlate_add(xl, "%sip daddr %s", space,
xtables_ip6addr_to_numeric(&info->dst_min.in6));
xt_xlate_add(xl, "-%s",
xtables_ip6addr_to_numeric(&info->dst_max.in6));
}
return 1;
}
static int dccp_xlate(const struct xt_entry_match *match,
struct xt_xlate *xl, int numeric)
{
const struct xt_dccp_info *einfo =
(const struct xt_dccp_info *)match->data;
int ret = 1;
xt_xlate_add(xl, "dccp ");
if (einfo->flags & XT_DCCP_SRC_PORTS) {
if (einfo->spts[0] != einfo->spts[1])
xt_xlate_add(xl, "sport%s %u-%u ",
einfo->invflags & XT_DCCP_SRC_PORTS ? " !=" : "",
einfo->spts[0], einfo->spts[1]);
else
xt_xlate_add(xl, "sport%s %u ",
einfo->invflags & XT_DCCP_SRC_PORTS ? " !=" : "",
einfo->spts[0]);
}
if (einfo->flags & XT_DCCP_DEST_PORTS) {
if (einfo->dpts[0] != einfo->dpts[1])
xt_xlate_add(xl, "dport%s %u-%u ",
einfo->invflags & XT_DCCP_DEST_PORTS ? " !=" : "",
einfo->dpts[0], einfo->dpts[1]);
else
xt_xlate_add(xl, "dport%s %u ",
einfo->invflags & XT_DCCP_DEST_PORTS ? " !=" : "",
einfo->dpts[0]);
}
if (einfo->flags & XT_DCCP_TYPE)
ret = dccp_type_xlate(einfo, xl);
if (einfo->flags & XT_DCCP_OPTION)
ret = 0;
return ret;
}
static int mark_xlate(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
const struct xt_mark_info *info = (const void *)params->match->data;
enum xt_op op = XT_OP_EQ;
if (info->invert)
op = XT_OP_NEQ;
xt_xlate_add(xl, "mark");
print_mark_xlate(xl, info->mark, info->mask, op);
return 1;
}
static int REJECT_xlate(struct xt_xlate *xl,
const struct xt_xlate_tg_params *params)
{
const struct ipt_reject_info *reject =
(const struct ipt_reject_info *)params->target->data;
unsigned int i;
for (i = 0; i < ARRAY_SIZE(reject_table_xlate); ++i) {
if (reject_table_xlate[i].with == reject->with)
break;
}
if (reject->with == IPT_ICMP_PORT_UNREACHABLE)
xt_xlate_add(xl, "reject");
else if (reject->with == IPT_TCP_RESET)
xt_xlate_add(xl, "reject with %s",
reject_table_xlate[i].name);
else
xt_xlate_add(xl, "reject with icmp type %s",
reject_table_xlate[i].name);
return 1;
}
static void devgroup_show_xlate(const struct xt_devgroup_info *info,
struct xt_xlate *xl, int numeric)
{
enum xt_op op = XT_OP_EQ;
char *space = "";
if (info->flags & XT_DEVGROUP_MATCH_SRC) {
if (info->flags & XT_DEVGROUP_INVERT_SRC)
op = XT_OP_NEQ;
xt_xlate_add(xl, "iifgroup ");
print_devgroup_xlate(info->src_group, op,
info->src_mask, xl, numeric);
space = " ";
}
if (info->flags & XT_DEVGROUP_MATCH_DST) {
if (info->flags & XT_DEVGROUP_INVERT_DST)
op = XT_OP_NEQ;
xt_xlate_add(xl, "%soifgroup ", space);
print_devgroup_xlate(info->dst_group, op,
info->dst_mask, xl, numeric);
}
}
static int connmark_xlate(const struct xt_entry_match *match,
struct xt_xlate *xl, int numeric)
{
const struct xt_connmark_info *info = (const void *)match->data;
enum xt_op op = XT_OP_EQ;
if (info->invert)
op = XT_OP_NEQ;
xt_xlate_add(xl, "ct mark");
print_mark_xlate(info->mark, info->mask, xl, op);
return 1;
}
static int realm_xlate(const void *ip, const struct xt_entry_match *match,
struct xt_xlate *xl, int numeric)
{
const struct xt_realm_info *ri = (const void *)match->data;
enum xt_op op = XT_OP_EQ;
if (ri->invert)
op = XT_OP_NEQ;
xt_xlate_add(xl, "rtclassid");
print_realm_xlate(ri->id, ri->mask, 0, xl, op);
return 1;
}
static int udp_xlate(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
const struct xt_udp *udpinfo = (struct xt_udp *)params->match->data;
char *space= "";
if (udpinfo->spts[0] != 0 || udpinfo->spts[1] != 0xFFFF) {
if (udpinfo->spts[0] != udpinfo->spts[1]) {
xt_xlate_add(xl,"udp sport %s%u-%u",
udpinfo->invflags & XT_UDP_INV_SRCPT ?
"!= ": "",
udpinfo->spts[0], udpinfo->spts[1]);
} else {
xt_xlate_add(xl, "udp sport %s%u",
udpinfo->invflags & XT_UDP_INV_SRCPT ?
"!= ": "",
udpinfo->spts[0]);
}
space = " ";
}
if (udpinfo->dpts[0] != 0 || udpinfo->dpts[1] != 0xFFFF) {
if (udpinfo->dpts[0] != udpinfo->dpts[1]) {
xt_xlate_add(xl,"%sudp dport %s%u-%u", space,
udpinfo->invflags & XT_UDP_INV_SRCPT ?
"!= ": "",
udpinfo->dpts[0], udpinfo->dpts[1]);
} else {
xt_xlate_add(xl,"%sudp dport %s%u", space,
udpinfo->invflags & XT_UDP_INV_SRCPT ?
"!= ": "",
udpinfo->dpts[0]);
}
}
return 1;
}
static int iprange_xlate(const void *ip, const struct xt_entry_match *match,
struct xt_xlate *xl, int numeric)
{
const struct ipt_iprange_info *info = (const void *)match->data;
char *space = "";
if (info->flags & IPRANGE_SRC) {
if (info->flags & IPRANGE_SRC_INV)
xt_xlate_add(xl, "!= ");
xt_xlate_add(xl, "ip saddr");
print_iprange_xlate(&info->src, xl);
space = " ";
}
if (info->flags & IPRANGE_DST) {
if (info->flags & IPRANGE_DST_INV) {
xt_xlate_add(xl, "%s!= ", space);
space = "";
}
xt_xlate_add(xl, "%sip daddr", space);
print_iprange_xlate(&info->dst, xl);
}
return 1;
}
static int cgroup_xlate_v1(struct xt_xlate *xl,
const struct xt_xlate_mt_params *params)
{
const struct xt_cgroup_info_v1 *info = (void *)params->match->data;
if (info->has_path)
return 0;
if (info->has_classid)
xt_xlate_add(xl, "meta cgroup %s%u",
info->invert_classid ? "!= " : "",
info->classid);
return 1;
}
