diff options
| author | Pablo M. Bermudo Garay <pablombg@gmail.com> | 2016-07-09 12:27:51 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-07-09 13:44:46 +0200 |
| commit | f035be35c749d5c5cbb7ffdbcd1c548b91bd3033 (patch) | |
| tree | 69f5402722a70645f783d761e2ec60a4e99a85e1 /extensions/libxt_conntrack.c | |
| parent | e8f857a5a1514c3e7d0d8ea0f7d2d571f0e37bd1 (diff) | |
xtables-translate: fix multiple spaces issue
This patch fixes a multiple spaces issue. The problem arises when a rule
set loaded through iptables-compat-restore is listed in nft.
Before this commit, two spaces were printed after every match
translation:
$ sudo iptables-save
*filter
:INPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80:85 -m ttl --ttl-gt 5 -j ACCEPT
COMMIT
$ sudo iptables-compat-restore iptables-save
$ sudo nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
ct state related,established counter packets 0 bytes 0 accept
^^
ip protocol tcp tcp dport 80-85 ip ttl gt 5 counter packets 0 bytes 0 accept
^^ ^^
}
}
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'extensions/libxt_conntrack.c')
| -rw-r--r-- | extensions/libxt_conntrack.c | 68 |
1 files changed, 38 insertions, 30 deletions
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c index 22424895..4f3853c0 100644 --- a/extensions/libxt_conntrack.c +++ b/extensions/libxt_conntrack.c @@ -1236,40 +1236,45 @@ static int _conntrack3_mt_xlate(const void *ip, int family) { const struct xt_conntrack_mtinfo3 *sinfo = (const void *)match->data; + char *space = ""; - if (sinfo->match_flags & XT_CONNTRACK_DIRECTION) - xt_xlate_add(xl, "ct direction %s ", + if (sinfo->match_flags & XT_CONNTRACK_DIRECTION) { + xt_xlate_add(xl, "ct direction %s", sinfo->invert_flags & XT_CONNTRACK_DIRECTION ? "reply" : "original"); + space = " "; + } - if (sinfo->match_flags & XT_CONNTRACK_PROTO) - xt_xlate_add(xl, "ct %s protocol %s%u ", + if (sinfo->match_flags & XT_CONNTRACK_PROTO) { + xt_xlate_add(xl, "%sct %s protocol %s%u", space, sinfo->invert_flags & XT_CONNTRACK_DIRECTION ? "reply" : "original", sinfo->invert_flags & XT_CONNTRACK_PROTO ? "!= " : "", sinfo->l4proto); + space = " "; + } if (sinfo->match_flags & XT_CONNTRACK_STATE) { - xt_xlate_add(xl, "ct state %s", + xt_xlate_add(xl, "%sct state %s", space, sinfo->invert_flags & XT_CONNTRACK_STATE ? "!= " : ""); state_xlate_print(xl, sinfo->state_mask); - xt_xlate_add(xl, " "); + space = " "; } if (sinfo->match_flags & XT_CONNTRACK_STATUS) { if (sinfo->status_mask == 1) return 0; - xt_xlate_add(xl, "ct status %s", + xt_xlate_add(xl, "%sct status %s", space, sinfo->invert_flags & XT_CONNTRACK_STATUS ? "!= " : ""); status_xlate_print(xl, sinfo->status_mask); - xt_xlate_add(xl, " "); + space = " "; } if (sinfo->match_flags & XT_CONNTRACK_EXPIRES) { - xt_xlate_add(xl, "ct expiration %s", + xt_xlate_add(xl, "%sct expiration %s", space, sinfo->invert_flags & XT_CONNTRACK_EXPIRES ? "!= " : ""); if (sinfo->expires_max == sinfo->expires_min) @@ -1277,98 +1282,101 @@ static int _conntrack3_mt_xlate(const void *ip, else xt_xlate_add(xl, "%lu-%lu", sinfo->expires_min, sinfo->expires_max); - xt_xlate_add(xl, " "); + space = " "; } if (sinfo->match_flags & XT_CONNTRACK_ORIGSRC) { if (&sinfo->origsrc_addr == 0L) return 0; - xt_xlate_add(xl, "ct original saddr %s", + xt_xlate_add(xl, "%sct original saddr %s", space, sinfo->invert_flags & XT_CONNTRACK_ORIGSRC ? "!= " : ""); addr_xlate_print(xl, &sinfo->origsrc_addr, &sinfo->origsrc_mask, family); - xt_xlate_add(xl, " "); + space = " "; } if (sinfo->match_flags & XT_CONNTRACK_ORIGDST) { if (&sinfo->origdst_addr == 0L) return 0; - xt_xlate_add(xl, "ct original daddr %s", + xt_xlate_add(xl, "%sct original daddr %s", space, sinfo->invert_flags & XT_CONNTRACK_ORIGDST ? "!= " : ""); addr_xlate_print(xl, &sinfo->origdst_addr, &sinfo->origdst_mask, family); - xt_xlate_add(xl, " "); + space = " "; } if (sinfo->match_flags & XT_CONNTRACK_REPLSRC) { if (&sinfo->replsrc_addr == 0L) return 0; - xt_xlate_add(xl, "ct reply saddr %s", + xt_xlate_add(xl, "%sct reply saddr %s", space, sinfo->invert_flags & XT_CONNTRACK_REPLSRC ? "!= " : ""); addr_xlate_print(xl, &sinfo->replsrc_addr, &sinfo->replsrc_mask, family); - xt_xlate_add(xl, " "); + space = " "; } if (sinfo->match_flags & XT_CONNTRACK_REPLDST) { if (&sinfo->repldst_addr == 0L) return 0; - xt_xlate_add(xl, "ct reply daddr %s", + xt_xlate_add(xl, "%sct reply daddr %s", space, sinfo->invert_flags & XT_CONNTRACK_REPLDST ? "!= " : ""); addr_xlate_print(xl, &sinfo->repldst_addr, &sinfo->repldst_mask, family); - xt_xlate_add(xl, " "); + space = " "; } if (sinfo->match_flags & XT_CONNTRACK_ORIGSRC_PORT) { - xt_xlate_add(xl, "ct original proto-src %s", + xt_xlate_add(xl, "%sct original proto-src %s", space, sinfo->invert_flags & XT_CONNTRACK_ORIGSRC_PORT ? "!= " : ""); if (sinfo->origsrc_port == sinfo->origsrc_port_high) - xt_xlate_add(xl, "%u ", sinfo->origsrc_port); + xt_xlate_add(xl, "%u", sinfo->origsrc_port); else - xt_xlate_add(xl, "%u-%u ", sinfo->origsrc_port, + xt_xlate_add(xl, "%u-%u", sinfo->origsrc_port, sinfo->origsrc_port_high); + space = " "; } if (sinfo->match_flags & XT_CONNTRACK_ORIGDST_PORT) { - xt_xlate_add(xl, "ct original proto-dst %s", + xt_xlate_add(xl, "%sct original proto-dst %s", space, sinfo->invert_flags & XT_CONNTRACK_ORIGDST_PORT ? "!= " : ""); if (sinfo->origdst_port == sinfo->origdst_port_high) - xt_xlate_add(xl, "%u ", sinfo->origdst_port); + xt_xlate_add(xl, "%u", sinfo->origdst_port); else - xt_xlate_add(xl, "%u-%u ", sinfo->origdst_port, + xt_xlate_add(xl, "%u-%u", sinfo->origdst_port, sinfo->origdst_port_high); + space = " "; } if (sinfo->match_flags & XT_CONNTRACK_REPLSRC_PORT) { - xt_xlate_add(xl, "ct reply proto-src %s", + xt_xlate_add(xl, "%sct reply proto-src %s", space, sinfo->invert_flags & XT_CONNTRACK_REPLSRC_PORT ? "!= " : ""); if (sinfo->replsrc_port == sinfo->replsrc_port_high) - xt_xlate_add(xl, "%u ", sinfo->replsrc_port); + xt_xlate_add(xl, "%u", sinfo->replsrc_port); else - xt_xlate_add(xl, "%u-%u ", sinfo->replsrc_port, + xt_xlate_add(xl, "%u-%u", sinfo->replsrc_port, sinfo->replsrc_port_high); + space = " "; } if (sinfo->match_flags & XT_CONNTRACK_REPLDST_PORT) { - xt_xlate_add(xl, "ct reply proto-dst %s", + xt_xlate_add(xl, "%sct reply proto-dst %s", space, sinfo->invert_flags & XT_CONNTRACK_REPLDST_PORT ? "!= " : "", sinfo->repldst_port); if (sinfo->repldst_port == sinfo->repldst_port_high) - xt_xlate_add(xl, "%u ", sinfo->repldst_port); + xt_xlate_add(xl, "%u", sinfo->repldst_port); else - xt_xlate_add(xl, "%u-%u ", sinfo->repldst_port, + xt_xlate_add(xl, "%u-%u", sinfo->repldst_port, sinfo->repldst_port_high); } |