diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-06-03 01:58:43 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-06-07 21:35:27 +0200 |
| commit | c8145139cb230ff22837795c97f2e264c574c64c (patch) | |
| tree | af4a98ee8f9ea7ad3702c572751af920ba515c04 | |
| parent | 1c934617f661dc0bc471c0f0b4ace254c55182df (diff) | |
extensions: libxt_conntrack: simplify translation using negation
Available since nftables 0.9.9. For example:
# iptables-translate -I INPUT -m state ! --state NEW,INVALID
nft insert rule ip filter INPUT ct state ! invalid,new counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | extensions/libxt_conntrack.c | 46 | ||||
| -rw-r--r-- | extensions/libxt_conntrack.txlate | 8 |
2 files changed, 17 insertions, 37 deletions
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c index 7f7b45ee..64018ce1 100644 --- a/extensions/libxt_conntrack.c +++ b/extensions/libxt_conntrack.c @@ -1151,40 +1151,30 @@ static void state_save(const void *ip, const struct xt_entry_match *match) static void state_xlate_print(struct xt_xlate *xl, unsigned int statemask, int inverted) { const char *sep = ""; - int one_flag_set; - one_flag_set = !(statemask & (statemask - 1)); - - if (inverted && !one_flag_set) - xt_xlate_add(xl, "& ("); - else if (inverted) - xt_xlate_add(xl, "& "); + if (inverted) + xt_xlate_add(xl, "! "); if (statemask & XT_CONNTRACK_STATE_INVALID) { xt_xlate_add(xl, "%s%s", sep, "invalid"); - sep = inverted && !one_flag_set ? "|" : ","; + sep = ","; } if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_NEW)) { xt_xlate_add(xl, "%s%s", sep, "new"); - sep = inverted && !one_flag_set ? "|" : ","; + sep = ","; } if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) { xt_xlate_add(xl, "%s%s", sep, "related"); - sep = inverted && !one_flag_set ? "|" : ","; + sep = ","; } if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) { xt_xlate_add(xl, "%s%s", sep, "established"); - sep = inverted && !one_flag_set ? "|" : ","; + sep = ","; } if (statemask & XT_CONNTRACK_STATE_UNTRACKED) { xt_xlate_add(xl, "%s%s", sep, "untracked"); - sep = inverted && !one_flag_set ? "|" : ","; + sep = ","; } - - if (inverted && !one_flag_set) - xt_xlate_add(xl, ") == 0"); - else if (inverted) - xt_xlate_add(xl, " == 0"); } static int state_xlate(struct xt_xlate *xl, @@ -1203,36 +1193,26 @@ static int state_xlate(struct xt_xlate *xl, static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask, int inverted) { const char *sep = ""; - int one_flag_set; - one_flag_set = !(statusmask & (statusmask - 1)); - - if (inverted && !one_flag_set) - xt_xlate_add(xl, "& ("); - else if (inverted) - xt_xlate_add(xl, "& "); + if (inverted) + xt_xlate_add(xl, "! "); if (statusmask & IPS_EXPECTED) { xt_xlate_add(xl, "%s%s", sep, "expected"); - sep = inverted && !one_flag_set ? "|" : ","; + sep = ","; } if (statusmask & IPS_SEEN_REPLY) { xt_xlate_add(xl, "%s%s", sep, "seen-reply"); - sep = inverted && !one_flag_set ? "|" : ","; + sep = ","; } if (statusmask & IPS_ASSURED) { xt_xlate_add(xl, "%s%s", sep, "assured"); - sep = inverted && !one_flag_set ? "|" : ","; + sep = ","; } if (statusmask & IPS_CONFIRMED) { xt_xlate_add(xl, "%s%s", sep, "confirmed"); - sep = inverted && !one_flag_set ? "|" : ","; + sep = ","; } - - if (inverted && !one_flag_set) - xt_xlate_add(xl, ") == 0"); - else if (inverted) - xt_xlate_add(xl, " == 0"); } static void addr_xlate_print(struct xt_xlate *xl, diff --git a/extensions/libxt_conntrack.txlate b/extensions/libxt_conntrack.txlate index 8cc7c504..45fba984 100644 --- a/extensions/libxt_conntrack.txlate +++ b/extensions/libxt_conntrack.txlate @@ -2,10 +2,10 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW,RELATED -j ACCE nft add rule ip filter INPUT ct state new,related counter accept ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW,RELATED -j ACCEPT -nft add rule ip6 filter INPUT ct state & (new|related) == 0 counter accept +nft add rule ip6 filter INPUT ct state ! new,related counter accept ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW -j ACCEPT -nft add rule ip6 filter INPUT ct state & new == 0 counter accept +nft add rule ip6 filter INPUT ct state ! new counter accept iptables-translate -t filter -A INPUT -m conntrack --ctproto UDP -j ACCEPT nft add rule ip filter INPUT ct original protocol 17 counter accept @@ -35,10 +35,10 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstatus EXPECTED -j ACCEPT nft add rule ip filter INPUT ct status expected counter accept iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT -nft add rule ip filter INPUT ct status & confirmed == 0 counter accept +nft add rule ip filter INPUT ct status ! confirmed counter accept iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED,ASSURED -j ACCEPT -nft add rule ip filter INPUT ct status & (assured|confirmed) == 0 counter accept +nft add rule ip filter INPUT ct status ! assured,confirmed counter accept iptables-translate -t filter -A INPUT -m conntrack --ctstatus CONFIRMED,ASSURED -j ACCEPT nft add rule ip filter INPUT ct status assured,confirmed counter accept |