[iptables PATCH v2 2/2] extensions: libxt_conntrack: print xlate status as set

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

status_xlate_print function prints statusmask
without { ... } around. But if ctstatus condition is
negative, then we have to use { ... } after "!=" operator in nft

Reproducer:
$ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstatus expected,assured -j DROP
$ nft list ruleset
...
meta l4proto tcp ip daddr 127.0.0.1 ct status != expected,assured counter packets 0 bytes 0 drop
...

it will fail if we try to load this rule:
$ nft -f nft_test
../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon

Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@xxxxxxxxxxxxx>
---
 extensions/libxt_conntrack.c      | 15 +++++++++++++--
 extensions/libxt_conntrack.txlate |  3 +++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index fe964aa..61a67b0 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1198,9 +1198,16 @@ static int state_xlate(struct xt_xlate *xl,
 	return 1;
 }
 
-static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask)
+static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask, int afterinv)
 {
 	const char *sep = "";
+	int as_set;
+
+	/* print as set only after inversion and if more than one flag is set */
+	as_set = afterinv && (statusmask & (statusmask - 1));
+
+	if (as_set)
+		xt_xlate_add(xl, "{ ");
 
 	if (statusmask & IPS_EXPECTED) {
 		xt_xlate_add(xl, "%s%s", sep, "expected");
@@ -1218,6 +1225,9 @@ static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask)
 		xt_xlate_add(xl, "%s%s", sep, "confirmed");
 		sep = ",";
 	}
+
+	if (as_set)
+		xt_xlate_add(xl, " }");
 }
 
 static void addr_xlate_print(struct xt_xlate *xl,
@@ -1280,7 +1290,8 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl,
 		xt_xlate_add(xl, "%sct status %s", space,
 			     sinfo->invert_flags & XT_CONNTRACK_STATUS ?
 			     "!= " : "");
-		status_xlate_print(xl, sinfo->status_mask);
+		status_xlate_print(xl, sinfo->status_mask,
+				   sinfo->invert_flags & XT_CONNTRACK_STATUS);
 		space = " ";
 	}
 
diff --git a/extensions/libxt_conntrack.txlate b/extensions/libxt_conntrack.txlate
index 75b3daa..0cc7513 100644
--- a/extensions/libxt_conntrack.txlate
+++ b/extensions/libxt_conntrack.txlate
@@ -37,6 +37,9 @@ nft add rule ip filter INPUT ct status expected counter accept
 iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT
 nft add rule ip filter INPUT ct status != confirmed counter accept
 
+iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED,ASSURED -j ACCEPT
+nft add rule ip filter INPUT ct status != { assured,confirmed } counter accept
+
 iptables-translate -t filter -A INPUT -m conntrack --ctexpire 3 -j ACCEPT
 nft add rule ip filter INPUT ct expiration 3 counter accept
 
-- 
1.8.3.1
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux