From: Phil Sutter <phil@nwl.cc>
To: netfilter-devel@vger.kernel.org
Cc: Florian Westphal <fw@strlen.de>
Subject: [iptables PATCH 6/7] xtables-translate: Fix for interfaces with asterisk mid-string
Date: Thu, 1 Dec 2022 17:39:15 +0100 [thread overview]
Message-ID: <20221201163916.30808-7-phil@nwl.cc> (raw)
In-Reply-To: <20221201163916.30808-1-phil@nwl.cc>
For nft, asterisk is special at end of the interface name only. Escaping
it mid-string makes the escape char part of the interface name, so avoid
this.
In the test case, also drop the ticks around interface names in
*-translate command - since there's no shell involved which would eat
them, they become part of the interface name.
Fixes: e179e87a1179e ("xtables-translate: Fix for interface name corner-cases")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
extensions/generic.txlate | 14 +++++++-------
iptables/xtables-translate.c | 4 +++-
2 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/extensions/generic.txlate b/extensions/generic.txlate
index 7e879fd526bb1..d7ddf6a39762e 100644
--- a/extensions/generic.txlate
+++ b/extensions/generic.txlate
@@ -74,17 +74,17 @@ ebtables-translate -I INPUT -p ! Length
nft 'insert rule bridge filter INPUT ether type >= 0x0600 counter'
# asterisk is not special in iptables and it is even a valid interface name
-iptables-translate -A FORWARD -i '*' -o 'eth*foo'
-nft 'add rule ip filter FORWARD iifname "\*" oifname "eth\*foo" counter'
+iptables-translate -A FORWARD -i * -o eth*foo
+nft 'add rule ip filter FORWARD iifname "\*" oifname "eth*foo" counter'
-# escape all asterisks but translate only the first plus character
-iptables-translate -A FORWARD -i 'eth*foo*+' -o 'eth++'
-nft 'add rule ip filter FORWARD iifname "eth\*foo\**" oifname "eth+*" counter'
+# escape only suffix asterisk and translate only the last plus character
+iptables-translate -A FORWARD -i eth*foo*+ -o eth++
+nft 'add rule ip filter FORWARD iifname "eth*foo**" oifname "eth+*" counter'
# skip for always matching interface names
-iptables-translate -A FORWARD -i '+'
+iptables-translate -A FORWARD -i +
nft 'add rule ip filter FORWARD counter'
# match against invalid interface name to simulate never matching rule
-iptables-translate -A FORWARD ! -i '+'
+iptables-translate -A FORWARD ! -i +
nft 'add rule ip filter FORWARD iifname "INVAL/D" counter'
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 6b71fcef74b9c..07d6ee40cf727 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -41,7 +41,9 @@ void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname,
for (i = 0, j = 0; i < ifaclen + 1; i++, j++) {
switch (ifname[i]) {
case '*':
- iface[j++] = '\\';
+ /* asterisk is non-special mid-string */
+ if (i == ifaclen - 1)
+ iface[j++] = '\\';
/* fall through */
default:
iface[j] = ifname[i];
--
2.38.0
next prev parent reply other threads:[~2022-12-01 16:40 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-01 16:39 [iptables PATCH 0/7] tests: xlate: generic.txlate to pass replay test Phil Sutter
2022-12-01 16:39 ` [iptables PATCH 1/7] ebtables: Implement --check command Phil Sutter
2022-12-08 21:40 ` Pablo Neira Ayuso
2022-12-09 0:41 ` Phil Sutter
2022-12-09 15:23 ` Pablo Neira Ayuso
2022-12-09 16:51 ` Phil Sutter
2022-12-09 20:09 ` Pablo Neira Ayuso
2022-12-01 16:39 ` [iptables PATCH 2/7] tests: xlate: Use --check to verify replay Phil Sutter
2022-12-01 16:39 ` [iptables PATCH 3/7] nft: Fix for comparing ifname matches against nft-generated ones Phil Sutter
2022-12-01 16:39 ` [iptables PATCH 4/7] nft: Fix match generator for '! -i +' Phil Sutter
2022-12-08 12:23 ` Pablo Neira Ayuso
2022-12-08 13:19 ` Phil Sutter
2022-12-08 20:31 ` Pablo Neira Ayuso
2022-12-09 0:25 ` Phil Sutter
2022-12-01 16:39 ` [iptables PATCH 5/7] nft: Recognize INVAL/D interface name Phil Sutter
2022-12-01 16:39 ` Phil Sutter [this message]
2022-12-01 16:39 ` [iptables PATCH 7/7] ebtables: Fix MAC address match translation Phil Sutter
2022-12-02 0:46 ` [iptables PATCH 0/7] tests: xlate: generic.txlate to pass replay test Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221201163916.30808-7-phil@nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).