* [PATCH iptables] extensions: libxt_conntrack: simplify translation using negation
@ 2021-06-03 0:06 Pablo Neira Ayuso
0 siblings, 0 replies; only message in thread
From: Pablo Neira Ayuso @ 2021-06-03 0:06 UTC (permalink / raw)
To: netfilter-devel
Available since nftables 0.9.9. For example:
# iptables-translate -I INPUT -m state ! --state NEW,INVALID
nft insert rule ip filter INPUT ct state ! invalid,new counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
extensions/libxt_conntrack.c | 46 ++++++++++--------------------------
1 file changed, 13 insertions(+), 33 deletions(-)
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 7f7b45ee1f82..64018ce152b7 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1151,40 +1151,30 @@ static void state_save(const void *ip, const struct xt_entry_match *match)
static void state_xlate_print(struct xt_xlate *xl, unsigned int statemask, int inverted)
{
const char *sep = "";
- int one_flag_set;
- one_flag_set = !(statemask & (statemask - 1));
-
- if (inverted && !one_flag_set)
- xt_xlate_add(xl, "& (");
- else if (inverted)
- xt_xlate_add(xl, "& ");
+ if (inverted)
+ xt_xlate_add(xl, "! ");
if (statemask & XT_CONNTRACK_STATE_INVALID) {
xt_xlate_add(xl, "%s%s", sep, "invalid");
- sep = inverted && !one_flag_set ? "|" : ",";
+ sep = ",";
}
if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_NEW)) {
xt_xlate_add(xl, "%s%s", sep, "new");
- sep = inverted && !one_flag_set ? "|" : ",";
+ sep = ",";
}
if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) {
xt_xlate_add(xl, "%s%s", sep, "related");
- sep = inverted && !one_flag_set ? "|" : ",";
+ sep = ",";
}
if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) {
xt_xlate_add(xl, "%s%s", sep, "established");
- sep = inverted && !one_flag_set ? "|" : ",";
+ sep = ",";
}
if (statemask & XT_CONNTRACK_STATE_UNTRACKED) {
xt_xlate_add(xl, "%s%s", sep, "untracked");
- sep = inverted && !one_flag_set ? "|" : ",";
+ sep = ",";
}
-
- if (inverted && !one_flag_set)
- xt_xlate_add(xl, ") == 0");
- else if (inverted)
- xt_xlate_add(xl, " == 0");
}
static int state_xlate(struct xt_xlate *xl,
@@ -1203,36 +1193,26 @@ static int state_xlate(struct xt_xlate *xl,
static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask, int inverted)
{
const char *sep = "";
- int one_flag_set;
- one_flag_set = !(statusmask & (statusmask - 1));
-
- if (inverted && !one_flag_set)
- xt_xlate_add(xl, "& (");
- else if (inverted)
- xt_xlate_add(xl, "& ");
+ if (inverted)
+ xt_xlate_add(xl, "! ");
if (statusmask & IPS_EXPECTED) {
xt_xlate_add(xl, "%s%s", sep, "expected");
- sep = inverted && !one_flag_set ? "|" : ",";
+ sep = ",";
}
if (statusmask & IPS_SEEN_REPLY) {
xt_xlate_add(xl, "%s%s", sep, "seen-reply");
- sep = inverted && !one_flag_set ? "|" : ",";
+ sep = ",";
}
if (statusmask & IPS_ASSURED) {
xt_xlate_add(xl, "%s%s", sep, "assured");
- sep = inverted && !one_flag_set ? "|" : ",";
+ sep = ",";
}
if (statusmask & IPS_CONFIRMED) {
xt_xlate_add(xl, "%s%s", sep, "confirmed");
- sep = inverted && !one_flag_set ? "|" : ",";
+ sep = ",";
}
-
- if (inverted && !one_flag_set)
- xt_xlate_add(xl, ") == 0");
- else if (inverted)
- xt_xlate_add(xl, " == 0");
}
static void addr_xlate_print(struct xt_xlate *xl,
--
2.20.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-06-03 0:07 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-06-03 0:06 [PATCH iptables] extensions: libxt_conntrack: simplify translation using negation Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).