status_xlate_print function prints statusmask
without { ... } around. But if ctstatus condition is
negative, then we have to use { ... } after "!=" operator in nft
Reproducer:
$ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstatus expected,assured -j DROP
$ nft list ruleset
...
meta l4proto tcp ip daddr 127.0.0.1 ct status != expected,assured counter packets 0 bytes 0 drop
...
it will fail if we try to load this rule:
$ nft -f nft_test
../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@xxxxxxxxxxxxx>
---
extensions/libxt_conntrack.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index b3a2b2d..132d512 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1195,6 +1195,8 @@ static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask)
{
const char *sep = "";
+ xt_xlate_add(xl, "{ ");
+
if (statusmask & IPS_EXPECTED) {
xt_xlate_add(xl, "%s%s", sep, "expected");
sep = ",";
@@ -1211,6 +1213,8 @@ static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask)
xt_xlate_add(xl, "%s%s", sep, "confirmed");
sep = ",";
}
+
+ xt_xlate_add(xl, " }");
}
static void addr_xlate_print(struct xt_xlate *xl,
--
1.8.3.1
