New upstream version 1.8.1

extensions/libxt_cgroup.c

@@ -51,6 +51,24 @@ static const struct xt_option_entry cgroup_opts_v1[] = {
 	XTOPT_TABLEEND,
 };
 
+static const struct xt_option_entry cgroup_opts_v2[] = {
+	{
+		.name = "path",
+		.id = O_PATH,
+		.type = XTTYPE_STRING,
+		.flags = XTOPT_INVERT | XTOPT_PUT,
+		XTOPT_POINTER(struct xt_cgroup_info_v2, path)
+	},
+	{
+		.name = "cgroup",
+		.id = O_CLASSID,
+		.type = XTTYPE_UINT32,
+		.flags = XTOPT_INVERT | XTOPT_PUT,
+		XTOPT_POINTER(struct xt_cgroup_info_v2, classid)
+	},
+	XTOPT_TABLEEND,
+};
+
 static void cgroup_parse_v0(struct xt_option_call *cb)
 {
 	struct xt_cgroup_info_v0 *cgroupinfo = cb->data;
@@ -80,6 +98,26 @@ static void cgroup_parse_v1(struct xt_option_call *cb)
 	}
 }
 
+static void cgroup_parse_v2(struct xt_option_call *cb)
+{
+	struct xt_cgroup_info_v2 *info = cb->data;
+
+	xtables_option_parse(cb);
+
+	switch (cb->entry->id) {
+	case O_PATH:
+		info->has_path = true;
+		if (cb->invert)
+			info->invert_path = true;
+		break;
+	case O_CLASSID:
+		info->has_classid = true;
+		if (cb->invert)
+			info->invert_classid = true;
+		break;
+	}
+}
+
 static void
 cgroup_print_v0(const void *ip, const struct xt_entry_match *match, int numeric)
 {
@@ -121,6 +159,32 @@ static void cgroup_save_v1(const void *ip, const struct xt_entry_match *match)
 		       info->classid);
 }
 
+static void
+cgroup_print_v2(const void *ip, const struct xt_entry_match *match, int numeric)
+{
+	const struct xt_cgroup_info_v2 *info = (void *)match->data;
+
+	printf(" cgroup");
+	if (info->has_path)
+		printf(" %s%s", info->invert_path ? "! ":"", info->path);
+	if (info->has_classid)
+		printf(" %s%u", info->invert_classid ? "! ":"", info->classid);
+}
+
+static void cgroup_save_v2(const void *ip, const struct xt_entry_match *match)
+{
+	const struct xt_cgroup_info_v2 *info = (void *)match->data;
+
+	if (info->has_path) {
+		printf("%s --path", info->invert_path ? " !" : "");
+		xtables_save_string(info->path);
+	}
+
+	if (info->has_classid)
+		printf("%s --cgroup %u", info->invert_classid ? " !" : "",
+		       info->classid);
+}
+
 static int cgroup_xlate_v0(struct xt_xlate *xl,
 			   const struct xt_xlate_mt_params *params)
 {
@@ -147,6 +211,22 @@ static int cgroup_xlate_v1(struct xt_xlate *xl,
 	return 1;
 }
 
+static int cgroup_xlate_v2(struct xt_xlate *xl,
+			   const struct xt_xlate_mt_params *params)
+{
+	const struct xt_cgroup_info_v2 *info = (void *)params->match->data;
+
+	if (info->has_path)
+		return 0;
+
+	if (info->has_classid)
+		xt_xlate_add(xl, "meta cgroup %s%u",
+			     info->invert_classid ? "!= " : "",
+			     info->classid);
+
+	return 1;
+}
+
 static struct xtables_match cgroup_match[] = {
 	{
 		.family		= NFPROTO_UNSPEC,
@@ -176,6 +256,20 @@ static struct xtables_match cgroup_match[] = {
 		.x6_options	= cgroup_opts_v1,
 		.xlate		= cgroup_xlate_v1,
 	},
+	{
+		.family		= NFPROTO_UNSPEC,
+		.revision	= 2,
+		.name		= "cgroup",
+		.version	= XTABLES_VERSION,
+		.size		= XT_ALIGN(sizeof(struct xt_cgroup_info_v2)),
+		.userspacesize	= offsetof(struct xt_cgroup_info_v2, priv),
+		.help		= cgroup_help_v1,
+		.print		= cgroup_print_v2,
+		.save		= cgroup_save_v2,
+		.x6_parse	= cgroup_parse_v2,
+		.x6_options	= cgroup_opts_v2,
+		.xlate		= cgroup_xlate_v2,
+	},
 };
 
 void _init(void)

extensions/libxt_cgroup.txlate

+iptables-translate -t filter -A INPUT -m cgroup --cgroup 0 -j ACCEPT
+nft add rule ip filter INPUT meta cgroup 0 counter accept
+
+iptables-translate -t filter -A INPUT -m cgroup ! --cgroup 0 -j ACCEPT
+nft add rule ip filter INPUT meta cgroup != 0 counter accept

extensions/libxt_cluster.c

@@ -126,6 +126,56 @@ cluster_save(const void *ip, const struct xt_entry_match *match)
 		info->total_nodes, info->hash_seed);
 }
 
+static int cluster_xlate(struct xt_xlate *xl,
+			 const struct xt_xlate_mt_params *params)
+{
+	int node, shift_value = 1, comma_needed = 0;
+	uint32_t temp_node_mask, node_id = 0, needs_set = 0;
+	const struct xt_cluster_match_info *info = (void *)params->match->data;
+	const char *jhash_st = "jhash ct original saddr mod";
+	const char *pkttype_st = "meta pkttype set host";
+
+	if (!(info->node_mask & (info->node_mask - 1))) {
+		if (info->node_mask <= 2)
+			xt_xlate_add(xl, "%s %u seed 0x%08x eq %u %s", jhash_st,
+					info->total_nodes, info->hash_seed,
+					info->node_mask, pkttype_st);
+		else {
+			temp_node_mask = info->node_mask;
+			while (1) {
+				temp_node_mask = temp_node_mask >> shift_value;
+				node_id++;
+				if (temp_node_mask == 0)
+					break;
+			}
+			xt_xlate_add(xl, "%s %u seed 0x%08x eq %u %s", jhash_st,
+					info->total_nodes, info->hash_seed,
+					node_id, pkttype_st);
+		}
+	} else {
+		xt_xlate_add(xl, "%s %u seed 0x%08x ", jhash_st,
+				info->total_nodes, info->hash_seed);
+		for (node = 0; node < 32; node++) {
+			if (info->node_mask & (1 << node)) {
+				if (needs_set == 0) {
+					xt_xlate_add(xl, "{ ");
+					needs_set = 1;
+				}
+
+				if (comma_needed)
+					xt_xlate_add(xl, ", ");
+				xt_xlate_add(xl, "%u", node);
+				comma_needed++;
+			}
+		}
+		if (needs_set)
+			xt_xlate_add(xl, " }");
+		xt_xlate_add(xl, " %s", pkttype_st);
+	}
+
+	return 1;
+}
+
 static struct xtables_match cluster_mt_reg = {
 	.family		= NFPROTO_UNSPEC,
 	.name		= "cluster",
@@ -138,6 +188,7 @@ static struct xtables_match cluster_mt_reg = {
 	.x6_parse	= cluster_parse,
 	.x6_fcheck	= cluster_check,
 	.x6_options	= cluster_opts,
+	.xlate		= cluster_xlate,
 };
 
 void _init(void)

extensions/libxt_cluster.txlate

+iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 2 --cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff
+nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 2 seed 0xdeadbeef eq 1 meta pkttype set host counter meta mark set 0xffff
+
+iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 1 --cluster-local-node 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff
+nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 1 seed 0xdeadbeef eq 1 meta pkttype set host counter meta mark set 0xffff
+
+iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 2 --cluster-local-nodemask 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff
+nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 2 seed 0xdeadbeef eq 1 meta pkttype set host counter meta mark set 0xffff
+
+iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 1 --cluster-local-nodemask 1 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff
+nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 1 seed 0xdeadbeef eq 1 meta pkttype set host counter meta mark set 0xffff
+
+iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 32 --cluster-local-node 32 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff
+nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 32 seed 0xdeadbeef eq 32 meta pkttype set host counter meta mark set 0xffff
+
+iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 32 --cluster-local-nodemask 32 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff
+nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 32 seed 0xdeadbeef eq 6 meta pkttype set host counter meta mark set 0xffff
+
+iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 32 --cluster-local-nodemask 5 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff
+nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 32 seed 0xdeadbeef { 0, 2 } meta pkttype set host counter meta mark set 0xffff
+
+iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 7 --cluster-local-nodemask 9 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff
+nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 7 seed 0xdeadbeef { 0, 3 } meta pkttype set host counter meta mark set 0xffff
+
+iptables-translate -A PREROUTING -t mangle -i eth1 -m cluster --cluster-total-nodes 7 --cluster-local-node 5 --cluster-hash-seed 0xdeadbeef -j MARK --set-mark 0xffff
+nft add rule ip mangle PREROUTING iifname "eth1" jhash ct original saddr mod 7 seed 0xdeadbeef eq 5 meta pkttype set host counter meta mark set 0xffff

extensions/libxt_comment.c

@@ -52,17 +52,16 @@ static int comment_xlate(struct xt_xlate *xl,
 			 const struct xt_xlate_mt_params *params)
 {
 	struct xt_comment_info *commentinfo = (void *)params->match->data;
-	char comment[XT_MAX_COMMENT_LEN];
+	char comment[XT_MAX_COMMENT_LEN + sizeof("\\\"\\\"")];
 
 	commentinfo->comment[XT_MAX_COMMENT_LEN - 1] = '\0';
 	if (params->escape_quotes)
-		snprintf(comment, XT_MAX_COMMENT_LEN, "\\\"%s\\\"",
+		snprintf(comment, sizeof(comment), "\\\"%s\\\"",
 			 commentinfo->comment);
 	else
-		snprintf(comment, XT_MAX_COMMENT_LEN, "\"%s\"",
+		snprintf(comment, sizeof(comment), "\"%s\"",
 			 commentinfo->comment);
 
-	comment[XT_MAX_COMMENT_LEN - 1] = '\0';
 	xt_xlate_add_comment(xl, comment);
 
 	return 1;

extensions/libxt_comment.txlate

+iptables-translate -A INPUT -s 192.168.0.0 -m comment --comment "A privatized IP block"
+nft add rule ip filter INPUT ip saddr 192.168.0.0 counter comment \"A privatized IP block\"
+
+iptables-translate -A INPUT -p tcp -m tcp --sport http -s  192.168.0.0/16 -d 192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar"
+nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter jump LONGNACCEPT comment \"foobar\"
+
+iptables-translate -A FORWARD -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j DROP -m comment --comment singlecomment
+nft add rule ip filter FORWARD ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter drop comment \"singlecomment\"

extensions/libxt_connbytes.txlate

+iptables-translate -A OUTPUT -m connbytes --connbytes 200 --connbytes-dir original --connbytes-mode packets
+nft add rule ip filter OUTPUT ct original packets ge 200 counter
+
+iptables-translate -A OUTPUT -m connbytes ! --connbytes 200 --connbytes-dir reply --connbytes-mode packets
+nft add rule ip filter OUTPUT ct reply packets lt 200 counter
+
+iptables-translate -A OUTPUT -m connbytes --connbytes 200:600 --connbytes-dir both --connbytes-mode bytes
+nft add rule ip filter OUTPUT ct bytes 200-600 counter
+
+iptables-translate -A OUTPUT -m connbytes ! --connbytes 200:600 --connbytes-dir both --connbytes-mode bytes
+nft add rule ip filter OUTPUT ct bytes != 200-600 counter
+
+iptables-translate -A OUTPUT -m connbytes --connbytes 200:200 --connbytes-dir both --connbytes-mode avgpkt
+nft add rule ip filter OUTPUT ct avgpkt 200 counter

extensions/libxt_connlabel.txlate

+iptables-translate -A INPUT -m connlabel --label bit40
+nft add rule ip filter INPUT ct label bit40 counter
+
+iptables-translate -A INPUT -m connlabel ! --label bit40 --set
+nft add rule ip filter INPUT ct label set bit40 ct label and bit40 != bit40 counter

extensions/libxt_connmark.c

@@ -69,14 +69,6 @@ static void connmark_parse(struct xt_option_call *cb)
 		markinfo->invert = 1;
 }
 
-static void print_mark(unsigned int mark, unsigned int mask)
-{
-	if (mask != 0xffffffffU)
-		printf(" 0x%x/0x%x", mark, mask);
-	else
-		printf(" 0x%x", mark);
-}
-
 static void
 connmark_print(const void *ip, const struct xt_entry_match *match, int numeric)
 {
@@ -85,7 +77,8 @@ connmark_print(const void *ip, const struct xt_entry_match *match, int numeric)
 	printf(" CONNMARK match ");
 	if (info->invert)
 		printf("!");
-	print_mark(info->mark, info->mask);
+
+	xtables_print_mark_mask(info->mark, info->mask);
 }
 
 static void
@@ -97,7 +90,8 @@ connmark_mt_print(const void *ip, const struct xt_entry_match *match,
 	printf(" connmark match ");
 	if (info->invert)
 		printf("!");
-	print_mark(info->mark, info->mask);
+
+	xtables_print_mark_mask(info->mark, info->mask);
 }
 
 static void connmark_save(const void *ip, const struct xt_entry_match *match)
@@ -108,7 +102,7 @@ static void connmark_save(const void *ip, const struct xt_entry_match *match)
 		printf(" !");
 
 	printf(" --mark");
-	print_mark(info->mark, info->mask);
+	xtables_print_mark_mask(info->mark, info->mask);
 }
 
 static void
@@ -120,7 +114,7 @@ connmark_mt_save(const void *ip, const struct xt_entry_match *match)
 		printf(" !");
 
 	printf(" --mark");
-	print_mark(info->mark, info->mask);
+	xtables_print_mark_mask(info->mark, info->mask);
 }
 
 static void print_mark_xlate(unsigned int mark, unsigned int mask,

extensions/libxt_connmark.txlate

+iptables-translate -A INPUT -m connmark --mark 2 -j ACCEPT
+nft add rule ip filter INPUT ct mark 0x2 counter accept
+
+iptables-translate -A INPUT -m connmark ! --mark 2 -j ACCEPT
+nft add rule ip filter INPUT ct mark != 0x2 counter accept
+
+iptables-translate -A INPUT -m connmark --mark 10/10 -j ACCEPT
+nft add rule ip filter INPUT ct mark and 0xa == 0xa counter accept
+
+iptables-translate -A INPUT -m connmark ! --mark 10/10 -j ACCEPT
+nft add rule ip filter INPUT ct mark and 0xa != 0xa counter accept
+
+iptables-translate -t mangle -A PREROUTING -p tcp --dport 40 -m connmark --mark 0x40
+nft add rule ip mangle PREROUTING tcp dport 40 ct mark 0x40 counter

extensions/libxt_conntrack.c

@@ -673,20 +673,20 @@ static void
 print_addr(const struct in_addr *addr, const struct in_addr *mask,
            int inv, int numeric)
 {
-	char buf[BUFSIZ];
-
 	if (inv)
 		printf(" !");
 
 	if (mask->s_addr == 0L && !numeric)
-		printf(" %s", "anywhere");
+		printf(" anywhere");
 	else {
 		if (numeric)
-			strcpy(buf, xtables_ipaddr_to_numeric(addr));
+			printf(" %s%s",
+			       xtables_ipaddr_to_numeric(addr),
+			       xtables_ipmask_to_numeric(mask));
 		else
-			strcpy(buf, xtables_ipaddr_to_anyname(addr));
-		strcat(buf, xtables_ipmask_to_numeric(mask));
-		printf(" %s", buf);
+			printf(" %s%s",
+			       xtables_ipaddr_to_anyname(addr),
+			       xtables_ipmask_to_numeric(mask));
 	}
 }
 
@@ -774,14 +774,6 @@ matchinfo_print(const void *ip, const struct xt_entry_match *match, int numeric,
         	else
 			printf("%lu:%lu", sinfo->expires_min, sinfo->expires_max);
 	}
-
-	if (sinfo->flags & XT_CONNTRACK_DIRECTION) {
-		if (sinfo->invflags & XT_CONNTRACK_DIRECTION)
-			printf(" %sctdir REPLY", optpfx);
-		else
-			printf(" %sctdir ORIGINAL", optpfx);
-	}
-
 }
 
 static void

extensions/libxt_conntrack.txlate

+iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW,RELATED -j ACCEPT
+nft add rule ip filter INPUT ct state new,related counter accept
+
+ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW,RELATED -j ACCEPT
+nft add rule ip6 filter INPUT ct state != new,related counter accept
+
+iptables-translate -t filter -A INPUT -m conntrack --ctproto UDP -j ACCEPT
+nft add rule ip filter INPUT ct original protocol 17 counter accept
+
+iptables-translate -t filter -A INPUT -m conntrack ! --ctproto UDP -j ACCEPT
+nft add rule ip filter INPUT ct original protocol != 17 counter accept
+
+iptables-translate -t filter -A INPUT -m conntrack --ctorigsrc 10.100.2.131 -j ACCEPT
+nft add rule ip filter INPUT ct original saddr 10.100.2.131 counter accept
+
+iptables-translate -t filter -A INPUT -m conntrack --ctorigsrc 10.100.0.0/255.255.0.0 -j ACCEPT
+nft add rule ip filter INPUT ct original saddr 10.100.0.0/16 counter accept
+
+iptables-translate -t filter -A INPUT -m conntrack --ctorigdst 10.100.2.131 -j ACCEPT
+nft add rule ip filter INPUT ct original daddr 10.100.2.131 counter accept
+
+iptables-translate -t filter -A INPUT -m conntrack --ctreplsrc 10.100.2.131 -j ACCEPT
+nft add rule ip filter INPUT ct reply saddr 10.100.2.131 counter accept
+
+iptables-translate -t filter -A INPUT -m conntrack --ctrepldst 10.100.2.131 -j ACCEPT
+nft add rule ip filter INPUT ct reply daddr 10.100.2.131 counter accept
+
+iptables-translate -t filter -A INPUT -m conntrack --ctproto tcp --ctorigsrcport 443:444 -j ACCEPT
+nft add rule ip filter INPUT ct original protocol 6 ct original proto-src 443-444 counter accept
+
+iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT
+nft add rule ip filter INPUT ct status != confirmed counter accept
+
+iptables-translate -t filter -A INPUT -m conntrack --ctexpire 3 -j ACCEPT
+nft add rule ip filter INPUT ct expiration 3 counter accept
+
+iptables-translate -t filter -A INPUT -m conntrack --ctdir ORIGINAL -j ACCEPT
+nft add rule ip filter INPUT ct direction original counter accept
+
+iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW --ctproto tcp --ctorigsrc 192.168.0.1 --ctorigdst 192.168.0.1 --ctreplsrc 192.168.0.1 --ctrepldst 192.168.0.1 --ctorigsrcport 12 --ctorigdstport 14 --ctreplsrcport 16 --ctrepldstport 18 --ctexpire 10 --ctstatus SEEN_REPLY --ctdir ORIGINAL -j ACCEPT
+nft add rule ip filter INPUT ct direction original ct original protocol 6 ct state new ct status seen-reply ct expiration 10 ct original saddr 192.168.0.1 ct original daddr 192.168.0.1 ct reply saddr 192.168.0.1 ct reply daddr 192.168.0.1 ct original proto-src 12 ct original proto-dst 14 ct reply proto-src 16 ct reply proto-dst 18 counter accept

extensions/libxt_cpu.txlate

+iptables-translate -A INPUT -p tcp --dport 80 -m cpu --cpu 0 -j ACCEPT
+nft add rule ip filter INPUT tcp dport 80 cpu 0 counter accept
+
+iptables-translate -A INPUT -p tcp --dport 80 -m cpu ! --cpu 1 -j ACCEPT
+nft add rule ip filter INPUT tcp dport 80 cpu != 1 counter accept

extensions/libxt_dccp.txlate

+iptables-translate -A INPUT -p dccp -m dccp --sport 100
+nft add rule ip filter INPUT dccp sport 100 counter
+
+iptables-translate -A INPUT -p dccp -m dccp --dport 100:200
+nft add rule ip filter INPUT dccp dport 100-200 counter
+
+iptables-translate -A INPUT -p dccp -m dccp ! --dport 100
+nft add rule ip filter INPUT dccp dport != 100 counter
+
+iptables-translate -A INPUT -p dccp -m dccp --dport 100 --dccp-types REQUEST,RESPONSE,DATA,ACK,DATAACK,CLOSEREQ,CLOSE,SYNC,SYNCACK
+nft add rule ip filter INPUT dccp dport 100 dccp type {request, response, data, ack, dataack, closereq, close, sync, syncack} counter
+
+iptables-translate -A INPUT -p dccp -m dccp --sport 200 --dport 100
+nft add rule ip filter INPUT dccp sport 200 dport 100 counter

extensions/libxt_devgroup.c

@@ -31,60 +31,28 @@ static const struct xt_option_entry devgroup_opts[] = {
 	XTOPT_TABLEEND,
 };
 
-/* array of devgroups from /etc/iproute2/group */
+static const char f_devgroups[] = "/etc/iproute2/group";
+/* array of devgroups from f_devgroups[] */
 static struct xtables_lmap *devgroups;
 
-static void devgroup_init(struct xt_entry_match *match)
-{
-	const char file[] = "/etc/iproute2/group";
-	devgroups = xtables_lmap_init(file);
-	if (devgroups == NULL && errno != ENOENT)
-		fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno));
-}
-
-static void devgroup_parse_groupspec(const char *arg, unsigned int *group,
-				     unsigned int *mask)
-{
-	char *end;
-	bool ok;
-
-	ok = xtables_strtoui(arg, &end, group, 0, UINT32_MAX);
-	if (ok && (*end == '/' || *end == '\0')) {
-		if (*end == '/')
-			ok = xtables_strtoui(end + 1, NULL, mask,
-			                     0, UINT32_MAX);
-		else
-			*mask = ~0U;
-		if (!ok)
-			xtables_error(PARAMETER_PROBLEM,
-				      "Bad group value \"%s\"", arg);
-	} else {
-		*group = xtables_lmap_name2id(devgroups, arg);
-		if (*group == -1)
-			xtables_error(PARAMETER_PROBLEM,
-				      "Device group \"%s\" not found", arg);
-		*mask = ~0U;
-	}
-}
-
 static void devgroup_parse(struct xt_option_call *cb)
 {
 	struct xt_devgroup_info *info = cb->data;
-	unsigned int id, mask;
+	unsigned int group, mask;
 
 	xtables_option_parse(cb);
+	xtables_parse_val_mask(cb, &group, &mask, devgroups);
+
 	switch (cb->entry->id) {
 	case O_SRC_GROUP:
-		devgroup_parse_groupspec(cb->arg, &id, &mask);
-		info->src_group = id;
+		info->src_group = group;
 		info->src_mask  = mask;
 		info->flags |= XT_DEVGROUP_MATCH_SRC;
 		if (cb->invert)
 			info->flags |= XT_DEVGROUP_INVERT_SRC;
 		break;
 	case O_DST_GROUP:
-		devgroup_parse_groupspec(cb->arg, &id, &mask);
-		info->dst_group = id;
+		info->dst_group = group;
 		info->dst_mask  = mask;
 		info->flags |= XT_DEVGROUP_MATCH_DST;
 		if (cb->invert)
@@ -93,38 +61,23 @@ static void devgroup_parse(struct xt_option_call *cb)
 	}
 }
 
-static void
-print_devgroup(unsigned int id, unsigned int mask, int numeric)
-{
-	const char *name = NULL;
-
-	if (mask != 0xffffffff)
-		printf("0x%x/0x%x", id, mask);
-	else {
-		if (numeric == 0)
-			name = xtables_lmap_id2name(devgroups, id);
-		if (name)
-			printf("%s", name);
-		else
-			printf("0x%x", id);
-	}
-}
-
 static void devgroup_show(const char *pfx, const struct xt_devgroup_info *info,
 			  int numeric)
 {
 	if (info->flags & XT_DEVGROUP_MATCH_SRC) {
 		if (info->flags & XT_DEVGROUP_INVERT_SRC)
 			printf(" !");
-		printf(" %ssrc-group ", pfx);
-		print_devgroup(info->src_group, info->src_mask, numeric);
+		printf(" %ssrc-group", pfx);
+		xtables_print_val_mask(info->src_group, info->src_mask,
+				       numeric ? NULL : devgroups);
 	}
 
 	if (info->flags & XT_DEVGROUP_MATCH_DST) {
 		if (info->flags & XT_DEVGROUP_INVERT_DST)
 			printf(" !");
-		printf(" %sdst-group ", pfx);
-		print_devgroup(info->dst_group, info->dst_mask, numeric);
+		printf(" %sdst-group", pfx);
+		xtables_print_val_mask(info->dst_group, info->dst_mask,
+				       numeric ? NULL : devgroups);
 	}
 }
 
@@ -212,7 +165,6 @@ static struct xtables_match devgroup_mt_reg = {
 	.family		= NFPROTO_UNSPEC,
 	.size		= XT_ALIGN(sizeof(struct xt_devgroup_info)),
 	.userspacesize	= XT_ALIGN(sizeof(struct xt_devgroup_info)),
-	.init		= devgroup_init,
 	.help		= devgroup_help,
 	.print		= devgroup_print,
 	.save		= devgroup_save,
@@ -224,5 +176,10 @@ static struct xtables_match devgroup_mt_reg = {
 
 void _init(void)
 {
+	devgroups = xtables_lmap_init(f_devgroups);
+	if (devgroups == NULL && errno != ENOENT)
+		fprintf(stderr, "Warning: %s: %s\n", f_devgroups,
+			strerror(errno));
+
 	xtables_register_match(&devgroup_mt_reg);
 }

extensions/libxt_devgroup.txlate

+iptables-translate -A FORWARD -m devgroup --src-group 0x2 -j ACCEPT
+nft add rule ip filter FORWARD iifgroup 0x2 counter accept
+
+iptables-translate -A FORWARD -m devgroup --dst-group 0xc/0xc -j ACCEPT
+nft add rule ip filter FORWARD oifgroup and 0xc == 0xc counter accept
+
+iptables-translate -t mangle -A PREROUTING -p tcp --dport 46000 -m devgroup --src-group 23 -j ACCEPT
+nft add rule ip mangle PREROUTING tcp dport 46000 iifgroup 0x17 counter accept
+
+iptables-translate -A FORWARD -m devgroup ! --dst-group 0xc/0xc -j ACCEPT
+nft add rule ip filter FORWARD oifgroup and 0xc != 0xc counter accept
+
+iptables-translate -A FORWARD -m devgroup ! --src-group 0x2 -j ACCEPT
+nft add rule ip filter FORWARD iifgroup != 0x2 counter accept
+
+iptables-translate -A FORWARD -m devgroup ! --src-group 0x2 --dst-group 0xc/0xc -j ACCEPT
+nft add rule ip filter FORWARD iifgroup != 0x2 oifgroup and 0xc != 0xc counter accept

extensions/libxt_dscp.txlate

+iptables-translate -t filter -A INPUT -m dscp --dscp 0x32 -j ACCEPT
+nft add rule ip filter INPUT ip dscp 0x32 counter accept
+
+ip6tables-translate -t filter -A INPUT -m dscp ! --dscp 0x32 -j ACCEPT
+nft add rule ip6 filter INPUT ip6 dscp != 0x32 counter accept

extensions/libxt_ecn.c

@@ -124,9 +124,21 @@ static int ecn_xlate(struct xt_xlate *xl,
 	const struct xt_ecn_info *einfo =
 		(const struct xt_ecn_info *)params->match->data;
 
-	if (!(einfo->operation & XT_ECN_OP_MATCH_IP))
-		return 0;
+	if (einfo->operation & XT_ECN_OP_MATCH_ECE) {
+		xt_xlate_add(xl, "tcp flags ");
+		if (einfo->invert)
+			xt_xlate_add(xl,"!= ");
+		xt_xlate_add(xl, "ecn");
+	}
 
+	if (einfo->operation & XT_ECN_OP_MATCH_CWR) {
+		xt_xlate_add(xl, "tcp flags ");
+		if (einfo->invert)
+			xt_xlate_add(xl,"!= ");
+		xt_xlate_add(xl, "cwr");
+	}
+
+	if (einfo->operation & XT_ECN_OP_MATCH_IP) {
 		xt_xlate_add(xl, "ip ecn ");
 		if (einfo->invert)
 			xt_xlate_add(xl,"!= ");
@@ -145,6 +157,7 @@ static int ecn_xlate(struct xt_xlate *xl,
 			xt_xlate_add(xl, "ce");
 			break;
 		}
+	}
 	return 1;
 }
 

extensions/libxt_ecn.txlate

+iptables-translate -A INPUT -m ecn --ecn-ip-ect 0
+nft add rule ip filter INPUT ip ecn not-ect counter
+
+iptables-translate -A INPUT -m ecn --ecn-ip-ect 1
+nft add rule ip filter INPUT ip ecn ect1 counter
+
+iptables-translate -A INPUT -m ecn --ecn-ip-ect 2
+nft add rule ip filter INPUT ip ecn ect0 counter
+
+iptables-translate -A INPUT -m ecn --ecn-ip-ect 3
+nft add rule ip filter INPUT ip ecn ce counter
+
+iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 0
+nft add rule ip filter INPUT ip ecn != not-ect counter
+
+iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 1
+nft add rule ip filter INPUT ip ecn != ect1 counter
+
+iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 2
+nft add rule ip filter INPUT ip ecn != ect0 counter
+
+iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 3
+nft add rule ip filter INPUT ip ecn != ce counter
+
+iptables-translate -A INPUT -m ecn ! --ecn-tcp-ece
+nft add rule ip filter INPUT tcp flags != ecn counter
+
+iptables-translate -A INPUT -m ecn --ecn-tcp-cwr
+nft add rule ip filter INPUT tcp flags cwr counter

extensions/libxt_esp.txlate

+iptables-translate -A FORWARD -p esp -j ACCEPT
+nft add rule ip filter FORWARD ip protocol esp counter accept
+
+iptables-translate -A INPUT  --in-interface  wan --protocol esp -j ACCEPT
+nft add rule ip filter INPUT iifname "wan" ip protocol esp counter accept
+
+iptables-translate -A INPUT -p 50 -m esp --espspi 500 -j DROP
+nft add rule ip filter INPUT esp spi 500 counter drop
+
+iptables-translate -A INPUT -p 50 -m esp --espspi 500:600 -j DROP
+nft add rule ip filter INPUT esp spi 500-600 counter drop