* [PATCH iptables,v2 1/5] libxtables: extend xlate infrastructure
2021-06-03 22:58 [PATCH iptables,v2 0/5] iptables-translation enhancements Pablo Neira Ayuso
@ 2021-06-03 22:58 ` Pablo Neira Ayuso
2021-06-03 22:58 ` [PATCH iptables,v2 2/5] tests: xlate-test: support multiline expectation Pablo Neira Ayuso
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2021-06-03 22:58 UTC (permalink / raw)
To: netfilter-devel
This infrastructure extends the existing xlate infrastructure:
- Extensions can define set dependencies through .xlate. The resulting
set definition can be obtained through xt_xlate_set_get().
- Add xl_xlate_set_family() and xl_xlate_get_family() to store/fetch
the family.
The first client of this new xlate API is the connlimit extension,
which is added in a follow up patch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
configure.ac | 4 +-
include/xtables.h | 6 +++
iptables/xtables-translate.c | 29 +++++++++----
libxtables/xtables.c | 82 ++++++++++++++++++++++++++++--------
4 files changed, 93 insertions(+), 28 deletions(-)
diff --git a/configure.ac b/configure.ac
index 6864378a3fcb..00ae60c5cfa1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2,8 +2,8 @@
AC_INIT([iptables], [1.8.7])
# See libtool.info "Libtool's versioning system"
-libxtables_vcurrent=16
-libxtables_vage=4
+libxtables_vcurrent=17
+libxtables_vage=5
AC_CONFIG_AUX_DIR([build-aux])
AC_CONFIG_HEADERS([config.h])
diff --git a/include/xtables.h b/include/xtables.h
index df1eaee32664..347f4bd7aa98 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -632,9 +632,15 @@ extern const char *xtables_lmap_id2name(const struct xtables_lmap *, int);
struct xt_xlate *xt_xlate_alloc(int size);
void xt_xlate_free(struct xt_xlate *xl);
void xt_xlate_add(struct xt_xlate *xl, const char *fmt, ...) __attribute__((format(printf,2,3)));
+#define xt_xlate_rule_add xt_xlate_add
+void xt_xlate_set_add(struct xt_xlate *xl, const char *fmt, ...) __attribute__((format(printf,2,3)));
void xt_xlate_add_comment(struct xt_xlate *xl, const char *comment);
const char *xt_xlate_get_comment(struct xt_xlate *xl);
+void xl_xlate_set_family(struct xt_xlate *xl, uint8_t family);
+uint8_t xt_xlate_get_family(struct xt_xlate *xl);
const char *xt_xlate_get(struct xt_xlate *xl);
+#define xt_xlate_rule_get xt_xlate_get
+const char *xt_xlate_set_get(struct xt_xlate *xl);
#ifdef XTABLES_INTERNAL
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 575fb320dc40..33ba68eceb74 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -155,20 +155,33 @@ static int nft_rule_xlate_add(struct nft_handle *h,
bool append)
{
struct xt_xlate *xl = xt_xlate_alloc(10240);
+ const char *set;
int ret;
+ xl_xlate_set_family(xl, h->family);
+ ret = h->ops->xlate(cs, xl);
+ if (!ret)
+ goto err_out;
+
+ set = xt_xlate_set_get(xl);
+ if (set[0]) {
+ printf("add set %s %s %s\n", family2str[h->family], p->table,
+ xt_xlate_set_get(xl));
+
+ if (!cs->restore && p->command != CMD_NONE)
+ printf("nft ");
+ }
+
if (append) {
- xt_xlate_add(xl, "add rule %s %s %s ",
- family2str[h->family], p->table, p->chain);
+ printf("add rule %s %s %s ",
+ family2str[h->family], p->table, p->chain);
} else {
- xt_xlate_add(xl, "insert rule %s %s %s ",
- family2str[h->family], p->table, p->chain);
+ printf("insert rule %s %s %s ",
+ family2str[h->family], p->table, p->chain);
}
+ printf("%s\n", xt_xlate_rule_get(xl));
- ret = h->ops->xlate(cs, xl);
- if (ret)
- printf("%s\n", xt_xlate_get(xl));
-
+err_out:
xt_xlate_free(xl);
return ret;
}
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index e6edfb5b4946..d7aab834b998 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -2319,32 +2319,42 @@ void get_kernel_version(void)
#include <linux/netfilter/nf_tables.h>
+enum xt_xlate_type {
+ XT_XLATE_RULE = 0,
+ XT_XLATE_SET,
+ __XT_XLATE_MAX
+};
+
struct xt_xlate {
- struct {
+ struct xt_xlate_buf {
char *data;
int size;
int rem;
int off;
- } buf;
+ } buf[__XT_XLATE_MAX];
char comment[NFT_USERDATA_MAXLEN];
+ int family;
};
struct xt_xlate *xt_xlate_alloc(int size)
{
struct xt_xlate *xl;
+ int i;
xl = malloc(sizeof(struct xt_xlate));
if (xl == NULL)
xtables_error(RESOURCE_PROBLEM, "OOM");
- xl->buf.data = malloc(size);
- if (xl->buf.data == NULL)
- xtables_error(RESOURCE_PROBLEM, "OOM");
+ for (i = 0; i < __XT_XLATE_MAX; i++) {
+ xl->buf[i].data = malloc(size);
+ if (xl->buf[i].data == NULL)
+ xtables_error(RESOURCE_PROBLEM, "OOM");
- xl->buf.data[0] = '\0';
- xl->buf.size = size;
- xl->buf.rem = size;
- xl->buf.off = 0;
+ xl->buf[i].data[0] = '\0';
+ xl->buf[i].size = size;
+ xl->buf[i].rem = size;
+ xl->buf[i].off = 0;
+ }
xl->comment[0] = '\0';
return xl;
@@ -2352,23 +2362,44 @@ struct xt_xlate *xt_xlate_alloc(int size)
void xt_xlate_free(struct xt_xlate *xl)
{
- free(xl->buf.data);
+ int i;
+
+ for (i = 0; i < __XT_XLATE_MAX; i++)
+ free(xl->buf[i].data);
+
free(xl);
}
-void xt_xlate_add(struct xt_xlate *xl, const char *fmt, ...)
+static void __xt_xlate_add(struct xt_xlate *xl, enum xt_xlate_type type,
+ const char *fmt, va_list ap)
{
- va_list ap;
+ struct xt_xlate_buf *buf = &xl->buf[type];
int len;
- va_start(ap, fmt);
- len = vsnprintf(xl->buf.data + xl->buf.off, xl->buf.rem, fmt, ap);
- if (len < 0 || len >= xl->buf.rem)
+ len = vsnprintf(buf->data + buf->off, buf->rem, fmt, ap);
+ if (len < 0 || len >= buf->rem)
xtables_error(RESOURCE_PROBLEM, "OOM");
+ buf->rem -= len;
+ buf->off += len;
+}
+
+void xt_xlate_rule_add(struct xt_xlate *xl, const char *fmt, ...)
+{
+ va_list ap;
+
+ va_start(ap, fmt);
+ __xt_xlate_add(xl, XT_XLATE_RULE, fmt, ap);
+ va_end(ap);
+}
+
+void xt_xlate_set_add(struct xt_xlate *xl, const char *fmt, ...)
+{
+ va_list ap;
+
+ va_start(ap, fmt);
+ __xt_xlate_add(xl, XT_XLATE_SET, fmt, ap);
va_end(ap);
- xl->buf.rem -= len;
- xl->buf.off += len;
}
void xt_xlate_add_comment(struct xt_xlate *xl, const char *comment)
@@ -2382,7 +2413,22 @@ const char *xt_xlate_get_comment(struct xt_xlate *xl)
return xl->comment[0] ? xl->comment : NULL;
}
+void xl_xlate_set_family(struct xt_xlate *xl, uint8_t family)
+{
+ xl->family = family;
+}
+
+uint8_t xt_xlate_get_family(struct xt_xlate *xl)
+{
+ return xl->family;
+}
+
const char *xt_xlate_get(struct xt_xlate *xl)
{
- return xl->buf.data;
+ return xl->buf[XT_XLATE_RULE].data;
+}
+
+const char *xt_xlate_set_get(struct xt_xlate *xl)
+{
+ return xl->buf[XT_XLATE_SET].data;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH iptables,v2 2/5] tests: xlate-test: support multiline expectation
2021-06-03 22:58 [PATCH iptables,v2 0/5] iptables-translation enhancements Pablo Neira Ayuso
2021-06-03 22:58 ` [PATCH iptables,v2 1/5] libxtables: extend xlate infrastructure Pablo Neira Ayuso
@ 2021-06-03 22:58 ` Pablo Neira Ayuso
2021-06-03 22:58 ` [PATCH iptables,v2 3/5] extensions: libxt_connlimit: add translation Pablo Neira Ayuso
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2021-06-03 22:58 UTC (permalink / raw)
To: netfilter-devel
Extend translation test to deal with multiline translation, e.g.
iptables-translate -A INPUT -m connlimit --connlimit-above 2
nft add set ip filter connlimit0 { type ipv4_addr; flags dynamic; }
nft add rule ip filter INPUT add @connlimit0 { ip saddr ct count over 2 } counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
xlate-test.py | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/xlate-test.py b/xlate-test.py
index 4c014f9bd269..cba98b6e8e49 100755
--- a/xlate-test.py
+++ b/xlate-test.py
@@ -39,14 +39,21 @@ def run_test(name, payload):
tests = passed = failed = errors = 0
result = []
- for line in payload:
+ line = payload.readline()
+ while line:
if line.startswith(keywords):
tests += 1
process = Popen([ xtables_nft_multi ] + shlex.split(line), stdout=PIPE, stderr=PIPE)
(output, error) = process.communicate()
if process.returncode == 0:
translation = output.decode("utf-8").rstrip(" \n")
- expected = next(payload).rstrip(" \n")
+ expected = payload.readline().rstrip(" \n")
+ next_expected = payload.readline().rstrip(" \n")
+ if next_expected.startswith("nft"):
+ expected += "\n" + next_expected
+ line = payload.readline()
+ else:
+ line = next_expected
if translation != expected:
test_passed = False
failed += 1
@@ -62,6 +69,9 @@ def run_test(name, payload):
errors += 1
result.append(name + ": " + red("Error: ") + "iptables-translate failure")
result.append(error.decode("utf-8"))
+ line = payload.readline()
+ else:
+ line = payload.readline()
if (passed == tests) and not args.test:
print(name + ": " + green("OK"))
if not test_passed:
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH iptables,v2 3/5] extensions: libxt_connlimit: add translation
2021-06-03 22:58 [PATCH iptables,v2 0/5] iptables-translation enhancements Pablo Neira Ayuso
2021-06-03 22:58 ` [PATCH iptables,v2 1/5] libxtables: extend xlate infrastructure Pablo Neira Ayuso
2021-06-03 22:58 ` [PATCH iptables,v2 2/5] tests: xlate-test: support multiline expectation Pablo Neira Ayuso
@ 2021-06-03 22:58 ` Pablo Neira Ayuso
2021-06-03 22:58 ` [PATCH iptables,v2 4/5] extensions: libxt_tcp: rework translation to use flags match representation Pablo Neira Ayuso
2021-06-03 22:58 ` [PATCH iptables,v2 5/5] extensions: libxt_conntrack: simplify translation using negation Pablo Neira Ayuso
4 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2021-06-03 22:58 UTC (permalink / raw)
To: netfilter-devel
This patch adds a translation for connlimit matches which requires
the definition of a set and the family context (either IPv4 or IPv6)
which is required to display the netmask accordingly.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
extensions/libxt_connlimit.c | 49 +++++++++++++++++++++++++++++++
extensions/libxt_connlimit.txlate | 15 ++++++++++
2 files changed, 64 insertions(+)
create mode 100644 extensions/libxt_connlimit.txlate
diff --git a/extensions/libxt_connlimit.c b/extensions/libxt_connlimit.c
index a569f86aa6b2..118faea560f7 100644
--- a/extensions/libxt_connlimit.c
+++ b/extensions/libxt_connlimit.c
@@ -2,6 +2,8 @@
#include <netdb.h>
#include <string.h>
#include <xtables.h>
+#include <arpa/inet.h>
+
#include <linux/netfilter/xt_connlimit.h>
enum {
@@ -183,6 +185,51 @@ static void connlimit_save6(const void *ip, const struct xt_entry_match *match)
}
}
+static int connlimit_xlate(struct xt_xlate *xl,
+ const struct xt_xlate_mt_params *params)
+{
+ const struct xt_connlimit_info *info = (const void *)params->match->data;
+ static uint32_t connlimit_id;
+ char netmask[128] = {};
+ char addr[64] = {};
+ uint32_t mask;
+
+ switch (xt_xlate_get_family(xl)) {
+ case AF_INET:
+ mask = count_bits4(info->v4_mask);
+ if (mask != 32) {
+ struct in_addr *in = (struct in_addr *)&info->v4_mask;
+
+ inet_ntop(AF_INET, in, addr, sizeof(addr));
+ snprintf(netmask, sizeof(netmask), "and %s ", addr);
+ }
+ break;
+ case AF_INET6:
+ mask = count_bits6(info->v6_mask);
+ if (mask != 128) {
+ struct in6_addr *in6 = (struct in6_addr *)&info->v6_mask;
+
+ inet_ntop(AF_INET6, in6, addr, sizeof(addr));
+ snprintf(netmask, sizeof(netmask), "and %s ", addr);
+ }
+ break;
+ default:
+ return 0;
+ }
+
+ xt_xlate_set_add(xl, "connlimit%u { type ipv4_addr; flags dynamic; }",
+ connlimit_id);
+ xt_xlate_rule_add(xl, "add @connlimit%u { %s %s %sct count %s%u }",
+ connlimit_id++,
+ xt_xlate_get_family(xl) == AF_INET ? "ip" : "ip6",
+ info->flags & XT_CONNLIMIT_DADDR ? "daddr" : "saddr",
+ netmask,
+ info->flags & XT_CONNLIMIT_INVERT ? "" : "over ",
+ info->limit);
+
+ return 1;
+}
+
static struct xtables_match connlimit_mt_reg[] = {
{
.name = "connlimit",
@@ -228,6 +275,7 @@ static struct xtables_match connlimit_mt_reg[] = {
.print = connlimit_print4,
.save = connlimit_save4,
.x6_options = connlimit_opts,
+ .xlate = connlimit_xlate,
},
{
.name = "connlimit",
@@ -243,6 +291,7 @@ static struct xtables_match connlimit_mt_reg[] = {
.print = connlimit_print6,
.save = connlimit_save6,
.x6_options = connlimit_opts,
+ .xlate = connlimit_xlate,
},
};
diff --git a/extensions/libxt_connlimit.txlate b/extensions/libxt_connlimit.txlate
new file mode 100644
index 000000000000..758868c4436c
--- /dev/null
+++ b/extensions/libxt_connlimit.txlate
@@ -0,0 +1,15 @@
+iptables-translate -A INPUT -m connlimit --connlimit-above 2
+nft add set ip filter connlimit0 { type ipv4_addr; flags dynamic; }
+nft add rule ip filter INPUT add @connlimit0 { ip saddr ct count over 2 } counter
+
+iptables-translate -A INPUT -m connlimit --connlimit-upto 2
+nft add set ip filter connlimit0 { type ipv4_addr; flags dynamic; }
+nft add rule ip filter INPUT add @connlimit0 { ip saddr ct count 2 } counter
+
+iptables-translate -A INPUT -m connlimit --connlimit-upto 2 --connlimit-mask 24
+nft add set ip filter connlimit0 { type ipv4_addr; flags dynamic; }
+nft add rule ip filter INPUT add @connlimit0 { ip saddr and 255.255.255.0 ct count 2 } counter
+
+iptables-translate -A INPUT -m connlimit --connlimit-upto 2 --connlimit-daddr
+nft add set ip filter connlimit0 { type ipv4_addr; flags dynamic; }
+nft add rule ip filter INPUT add @connlimit0 { ip daddr ct count 2 } counter
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH iptables,v2 4/5] extensions: libxt_tcp: rework translation to use flags match representation
2021-06-03 22:58 [PATCH iptables,v2 0/5] iptables-translation enhancements Pablo Neira Ayuso
` (2 preceding siblings ...)
2021-06-03 22:58 ` [PATCH iptables,v2 3/5] extensions: libxt_connlimit: add translation Pablo Neira Ayuso
@ 2021-06-03 22:58 ` Pablo Neira Ayuso
2021-06-03 22:58 ` [PATCH iptables,v2 5/5] extensions: libxt_conntrack: simplify translation using negation Pablo Neira Ayuso
4 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2021-06-03 22:58 UTC (permalink / raw)
To: netfilter-devel
Use the new flags match representation available since nftables 0.9.9
to simplify the translation.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
extensions/libxt_TCPMSS.txlate | 4 ++--
extensions/libxt_tcp.c | 10 +++++-----
extensions/libxt_tcp.txlate | 6 +++---
3 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/extensions/libxt_TCPMSS.txlate b/extensions/libxt_TCPMSS.txlate
index 6a64d2ce9bfd..3dbbad66c560 100644
--- a/extensions/libxt_TCPMSS.txlate
+++ b/extensions/libxt_TCPMSS.txlate
@@ -1,5 +1,5 @@
iptables-translate -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-nft add rule ip filter FORWARD tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu
+nft add rule ip filter FORWARD tcp flags syn / syn,rst counter tcp option maxseg size set rt mtu
iptables-translate -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 90
-nft add rule ip filter FORWARD tcp flags & (syn|rst) == syn counter tcp option maxseg size set 90
+nft add rule ip filter FORWARD tcp flags syn / syn,rst counter tcp option maxseg size set 90
diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
index 58f3c0a0c3c2..4bcd94630111 100644
--- a/extensions/libxt_tcp.c
+++ b/extensions/libxt_tcp.c
@@ -381,7 +381,7 @@ static void print_tcp_xlate(struct xt_xlate *xl, uint8_t flags)
for (i = 0; (flags & tcp_flag_names_xlate[i].flag) == 0; i++);
if (have_flag)
- xt_xlate_add(xl, "|");
+ xt_xlate_add(xl, ",");
xt_xlate_add(xl, "%s", tcp_flag_names_xlate[i].name);
have_flag = 1;
@@ -435,11 +435,11 @@ static int tcp_xlate(struct xt_xlate *xl,
return 0;
if (tcpinfo->flg_mask || (tcpinfo->invflags & XT_TCP_INV_FLAGS)) {
- xt_xlate_add(xl, "%stcp flags & (", space);
- print_tcp_xlate(xl, tcpinfo->flg_mask);
- xt_xlate_add(xl, ") %s ",
- tcpinfo->invflags & XT_TCP_INV_FLAGS ? "!=": "==");
+ xt_xlate_add(xl, "%stcp flags %s", space,
+ tcpinfo->invflags & XT_TCP_INV_FLAGS ? "!= ": "");
print_tcp_xlate(xl, tcpinfo->flg_cmp);
+ xt_xlate_add(xl, " / ");
+ print_tcp_xlate(xl, tcpinfo->flg_mask);
}
return 1;
diff --git a/extensions/libxt_tcp.txlate b/extensions/libxt_tcp.txlate
index bba63324df2b..921d4af024d3 100644
--- a/extensions/libxt_tcp.txlate
+++ b/extensions/libxt_tcp.txlate
@@ -11,13 +11,13 @@ iptables-translate -I OUTPUT -p tcp --dport 1020:1023 --sport 53 -j ACCEPT
nft insert rule ip filter OUTPUT tcp sport 53 tcp dport 1020-1023 counter accept
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
-nft add rule ip filter INPUT tcp flags & fin|ack == fin counter drop
+nft add rule ip filter INPUT tcp flags fin / fin,ack counter drop
iptables-translate -A INPUT -p tcp --syn -j ACCEPT
-nft add rule ip filter INPUT tcp flags & (fin|syn|rst|ack) == syn counter accept
+nft add rule ip filter INPUT tcp flags syn / fin,syn,rst,ack counter accept
iptables-translate -A INPUT -p tcp --syn --dport 80 -j ACCEPT
-nft add rule ip filter INPUT tcp dport 80 tcp flags & (fin|syn|rst|ack) == syn counter accept
+nft add rule ip filter INPUT tcp dport 80 tcp flags syn / fin,syn,rst,ack counter accept
iptables-translate -A INPUT -f -p tcp
nft add rule ip filter INPUT ip frag-off & 0x1fff != 0 ip protocol tcp counter
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH iptables,v2 5/5] extensions: libxt_conntrack: simplify translation using negation
2021-06-03 22:58 [PATCH iptables,v2 0/5] iptables-translation enhancements Pablo Neira Ayuso
` (3 preceding siblings ...)
2021-06-03 22:58 ` [PATCH iptables,v2 4/5] extensions: libxt_tcp: rework translation to use flags match representation Pablo Neira Ayuso
@ 2021-06-03 22:58 ` Pablo Neira Ayuso
4 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2021-06-03 22:58 UTC (permalink / raw)
To: netfilter-devel
Available since nftables 0.9.9. For example:
# iptables-translate -I INPUT -m state ! --state NEW,INVALID
nft insert rule ip filter INPUT ct state ! invalid,new counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
extensions/libxt_conntrack.c | 46 +++++++++----------------------
extensions/libxt_conntrack.txlate | 8 +++---
2 files changed, 17 insertions(+), 37 deletions(-)
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 7f7b45ee1f82..64018ce152b7 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1151,40 +1151,30 @@ static void state_save(const void *ip, const struct xt_entry_match *match)
static void state_xlate_print(struct xt_xlate *xl, unsigned int statemask, int inverted)
{
const char *sep = "";
- int one_flag_set;
- one_flag_set = !(statemask & (statemask - 1));
-
- if (inverted && !one_flag_set)
- xt_xlate_add(xl, "& (");
- else if (inverted)
- xt_xlate_add(xl, "& ");
+ if (inverted)
+ xt_xlate_add(xl, "! ");
if (statemask & XT_CONNTRACK_STATE_INVALID) {
xt_xlate_add(xl, "%s%s", sep, "invalid");
- sep = inverted && !one_flag_set ? "|" : ",";
+ sep = ",";
}
if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_NEW)) {
xt_xlate_add(xl, "%s%s", sep, "new");
- sep = inverted && !one_flag_set ? "|" : ",";
+ sep = ",";
}
if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) {
xt_xlate_add(xl, "%s%s", sep, "related");
- sep = inverted && !one_flag_set ? "|" : ",";
+ sep = ",";
}
if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) {
xt_xlate_add(xl, "%s%s", sep, "established");
- sep = inverted && !one_flag_set ? "|" : ",";
+ sep = ",";
}
if (statemask & XT_CONNTRACK_STATE_UNTRACKED) {
xt_xlate_add(xl, "%s%s", sep, "untracked");
- sep = inverted && !one_flag_set ? "|" : ",";
+ sep = ",";
}
-
- if (inverted && !one_flag_set)
- xt_xlate_add(xl, ") == 0");
- else if (inverted)
- xt_xlate_add(xl, " == 0");
}
static int state_xlate(struct xt_xlate *xl,
@@ -1203,36 +1193,26 @@ static int state_xlate(struct xt_xlate *xl,
static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask, int inverted)
{
const char *sep = "";
- int one_flag_set;
- one_flag_set = !(statusmask & (statusmask - 1));
-
- if (inverted && !one_flag_set)
- xt_xlate_add(xl, "& (");
- else if (inverted)
- xt_xlate_add(xl, "& ");
+ if (inverted)
+ xt_xlate_add(xl, "! ");
if (statusmask & IPS_EXPECTED) {
xt_xlate_add(xl, "%s%s", sep, "expected");
- sep = inverted && !one_flag_set ? "|" : ",";
+ sep = ",";
}
if (statusmask & IPS_SEEN_REPLY) {
xt_xlate_add(xl, "%s%s", sep, "seen-reply");
- sep = inverted && !one_flag_set ? "|" : ",";
+ sep = ",";
}
if (statusmask & IPS_ASSURED) {
xt_xlate_add(xl, "%s%s", sep, "assured");
- sep = inverted && !one_flag_set ? "|" : ",";
+ sep = ",";
}
if (statusmask & IPS_CONFIRMED) {
xt_xlate_add(xl, "%s%s", sep, "confirmed");
- sep = inverted && !one_flag_set ? "|" : ",";
+ sep = ",";
}
-
- if (inverted && !one_flag_set)
- xt_xlate_add(xl, ") == 0");
- else if (inverted)
- xt_xlate_add(xl, " == 0");
}
static void addr_xlate_print(struct xt_xlate *xl,
diff --git a/extensions/libxt_conntrack.txlate b/extensions/libxt_conntrack.txlate
index 8cc7c504ab4b..45fba984ba96 100644
--- a/extensions/libxt_conntrack.txlate
+++ b/extensions/libxt_conntrack.txlate
@@ -2,10 +2,10 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW,RELATED -j ACCE
nft add rule ip filter INPUT ct state new,related counter accept
ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW,RELATED -j ACCEPT
-nft add rule ip6 filter INPUT ct state & (new|related) == 0 counter accept
+nft add rule ip6 filter INPUT ct state ! new,related counter accept
ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW -j ACCEPT
-nft add rule ip6 filter INPUT ct state & new == 0 counter accept
+nft add rule ip6 filter INPUT ct state ! new counter accept
iptables-translate -t filter -A INPUT -m conntrack --ctproto UDP -j ACCEPT
nft add rule ip filter INPUT ct original protocol 17 counter accept
@@ -35,10 +35,10 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstatus EXPECTED -j ACCEPT
nft add rule ip filter INPUT ct status expected counter accept
iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT
-nft add rule ip filter INPUT ct status & confirmed == 0 counter accept
+nft add rule ip filter INPUT ct status ! confirmed counter accept
iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED,ASSURED -j ACCEPT
-nft add rule ip filter INPUT ct status & (assured|confirmed) == 0 counter accept
+nft add rule ip filter INPUT ct status ! assured,confirmed counter accept
iptables-translate -t filter -A INPUT -m conntrack --ctstatus CONFIRMED,ASSURED -j ACCEPT
nft add rule ip filter INPUT ct status assured,confirmed counter accept
--
2.20.1
^ permalink raw reply related [flat|nested] 6+ messages in thread