From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Shivani Bhardwaj <shivanib134@gmail.com>
Cc: Shyam Saini <mayhs11saini@gmail.com>,
Netfilter Development Mailing list
<netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH] iptables: fix the wrong appending of jump verdict after the comment.
Date: Thu, 26 Jan 2017 17:13:18 +0100 [thread overview]
Message-ID: <20170126161318.GA5403@salvia> (raw)
In-Reply-To: <CAKHNQQFhjicOr4dkPkAkx7N6_v802t=aici9BEU5cMmeip=i+g@mail.gmail.com>
On Thu, Jan 26, 2017 at 05:06:56PM +0530, Shivani Bhardwaj wrote:
> On Thu, Jan 26, 2017 at 2:49 PM, Shyam Saini <mayhs11saini@gmail.com> wrote:
> > Fix wrong appending of jump verdict after the comment
> >
> > For example:
> > $ iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar"
> > nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment \"foobar\"jump LONGNACCEPT
> >
> > Note that even without comment with double-quotes (i.e. --comment
> > "foobar"), it will add quotes:
> >
> > $ iptables-translate -A FORWARD -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j DROP -m comment --comment singlecomment
> > nft add rule ip filter FORWARD ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment \"singlecomment\"drop
> >
> > Attempting to apply the translated/generated rule will result to:
> >
> > $ nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment \"foobar\"jump LONGNACCEPT
> > <cmdline>:1:111-114: Error: syntax error, unexpected jump, expecting endof file or newline or semicolon
> > add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment "foobar"jump LONGNACCEPT
> >
> > After this patch
> > $ iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar"
> > nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter jump LONGNACCEPT comment \"foobar\"
> > which is correct translation
> >
> > Signed-off-by: Shyam Saini <mayhs11saini@gmail.com>
>
> Reviewed-by: Shivani Bhardwaj <shivanib134@gmail.com>
>
> It does get accepted by nft. Sorry about the last mail.
> You could probably send out similar patch for ip6 too.
I have mangled your patch to include the missing IPv6 chunk.
So this patch has been applied, thanks!
prev parent reply other threads:[~2017-01-26 16:22 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-26 9:19 [PATCH] iptables: fix the wrong appending of jump verdict after the comment Shyam Saini
2017-01-26 10:56 ` Shivani Bhardwaj
2017-01-26 11:36 ` Shivani Bhardwaj
2017-01-26 16:13 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170126161318.GA5403@salvia \
--to=pablo@netfilter.org \
--cc=mayhs11saini@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=shivanib134@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.