From: Liping Zhang <liping.zhang@xxxxxxxxxxxxxx>
We forgot to put "!=" when devgroup can be mapped to name, so translation
is wrong:
# iptables-translate -A OUTPUT -m devgroup ! --dst-group 0
nft add rule ip filter OUTPUT oifgroup default counter
Apply this patch:
# iptables-translate -A OUTPUT -m devgroup ! --dst-group 0
nft add rule ip filter OUTPUT oifgroup != default counter
Signed-off-by: Liping Zhang <liping.zhang@xxxxxxxxxxxxxx>
---
extensions/libxt_devgroup.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c
index d155680..2ec3905 100644
--- a/extensions/libxt_devgroup.c
+++ b/extensions/libxt_devgroup.c
@@ -163,11 +163,12 @@ print_devgroup_xlate(unsigned int id, uint32_t op, unsigned int mask,
else {
if (numeric == 0)
name = xtables_lmap_id2name(devgroups, id);
+
+ xt_xlate_add(xl, "%s", op == XT_OP_EQ ? "" : "!= ");
if (name)
xt_xlate_add(xl, "%s", name);
else
- xt_xlate_add(xl, "%s0x%x",
- op == XT_OP_EQ ? "" : "!= ", id);
+ xt_xlate_add(xl, "0x%x", id);
}
}
--
2.5.5
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
