Currently, state_xlate_print function prints statemask
without { ... } around. But if ctstate condition is
negative, then we have to use { ... } after "!=" operator
Reproducer:
$ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstate RELATED,ESTABLISHED -j DROP
$ nft list ruleset
...
meta l4proto tcp ip daddr 127.0.0.1 ct state != related,established counter packets 0 bytes 0 drop
...
it will fail if we try to load this rule:
$ nft -f nft_test
../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@xxxxxxxxxxxxx>
---
extensions/libxt_conntrack.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 7734509..b3a2b2d 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1152,6 +1152,8 @@ static void state_xlate_print(struct xt_xlate *xl, unsigned int statemask)
{
const char *sep = "";
+ xt_xlate_add(xl, "{ ");
+
if (statemask & XT_CONNTRACK_STATE_INVALID) {
xt_xlate_add(xl, "%s%s", sep, "invalid");
sep = ",";
@@ -1172,6 +1174,8 @@ static void state_xlate_print(struct xt_xlate *xl, unsigned int statemask)
xt_xlate_add(xl, "%s%s", sep, "untracked");
sep = ",";
}
+
+ xt_xlate_add(xl, " }");
}
static int state_xlate(struct xt_xlate *xl,
--
1.8.3.1
