[iptables PATCH 1/2] extensions: libxt_conntrack: print xlate state as set

[iptables PATCH 1/2] extensions: libxt_conntrack: print xlate state as set

[Alexander Mikhalitsyn]

Currently, state_xlate_print function prints statemask
without { ... } around. But if ctstate condition is
negative, then we have to use { ... } after "!=" operator

Reproducer:
$ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstate RELATED,ESTABLISHED -j DROP
$ nft list ruleset
...
meta l4proto tcp ip daddr 127.0.0.1 ct state != related,established counter packets 0 bytes 0 drop
...

it will fail if we try to load this rule:
$ nft -f nft_test
../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon

Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>

---
 extensions/libxt_conntrack.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 7734509..b3a2b2d 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1152,6 +1152,8 @@ static void state_xlate_print(struct xt_xlate *xl, unsigned int statemask)
 {
 	const char *sep = "";
 
+	xt_xlate_add(xl, "{ ");
+
 	if (statemask & XT_CONNTRACK_STATE_INVALID) {
 		xt_xlate_add(xl, "%s%s", sep, "invalid");
 		sep = ",";
@@ -1172,6 +1174,8 @@ static void state_xlate_print(struct xt_xlate *xl, unsigned int statemask)
 		xt_xlate_add(xl, "%s%s", sep, "untracked");
 		sep = ",";
 	}
+
+	xt_xlate_add(xl, " }");
 }
 
 static int state_xlate(struct xt_xlate *xl,
-- 
1.8.3.1

[iptables PATCH 2/2] extensions: libxt_conntrack: print xlate status as set

[Alexander Mikhalitsyn]

status_xlate_print function prints statusmask
without { ... } around. But if ctstatus condition is
negative, then we have to use { ... } after "!=" operator in nft

Reproducer:
$ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstatus expected,assured -j DROP
$ nft list ruleset
...
meta l4proto tcp ip daddr 127.0.0.1 ct status != expected,assured counter packets 0 bytes 0 drop
...

it will fail if we try to load this rule:
$ nft -f nft_test
../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon

Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>

---
 extensions/libxt_conntrack.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index b3a2b2d..132d512 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1195,6 +1195,8 @@ static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask)
 {
 	const char *sep = "";
 
+	xt_xlate_add(xl, "{ ");
+
 	if (statusmask & IPS_EXPECTED) {
 		xt_xlate_add(xl, "%s%s", sep, "expected");
 		sep = ",";
@@ -1211,6 +1213,8 @@ static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask)
 		xt_xlate_add(xl, "%s%s", sep, "confirmed");
 		sep = ",";
 	}
+
+	xt_xlate_add(xl, " }");
 }
 
 static void addr_xlate_print(struct xt_xlate *xl,
-- 
1.8.3.1