summaryrefslogtreecommitdiffstats
path: root/extensions
diff options
context:
space:
mode:
authorPhil Sutter <phil@nwl.cc>2022-11-25 03:13:14 +0100
committerPhil Sutter <phil@nwl.cc>2022-11-29 13:25:26 +0100
commit023dd2c515be63ddb2f0b6a6f3bccab4cdf7a71c (patch)
tree4209d3e8123555385bbc731fe8da9ac2c90bf07b /extensions
parent208290ff0bfecb49044c3df87149aa6fa683de09 (diff)
libxtables: xt_xlate_add() to take care of spacing
Try to eliminate most of the whitespace issues by separating strings from separate xt_xlate_add() calls by whitespace if needed. Cover the common case of consecutive range, list or MAC/IP address printing by inserting whitespace only if the string to be appended starts with an alphanumeric character or a brace. The latter helps to make spacing in anonymous sets consistent. Provide *_nospc() variants which disable the auto-spacing for the mandatory exception to the rule. Make things round by dropping any trailing whitespace before returning the buffer via xt_xlate_get(). Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'extensions')
-rw-r--r--extensions/libxt_dccp.txlate2
-rw-r--r--extensions/libxt_hashlimit.c2
-rw-r--r--extensions/libxt_hashlimit.txlate4
-rw-r--r--extensions/libxt_multiport.txlate2
-rw-r--r--extensions/libxt_tcp.c7
-rw-r--r--extensions/libxt_time.txlate6
6 files changed, 11 insertions, 12 deletions
diff --git a/extensions/libxt_dccp.txlate b/extensions/libxt_dccp.txlate
index ea853f6a..be950bcb 100644
--- a/extensions/libxt_dccp.txlate
+++ b/extensions/libxt_dccp.txlate
@@ -14,7 +14,7 @@ iptables-translate -A INPUT -p dccp -m dccp --dccp-types INVALID
nft add rule ip filter INPUT dccp type 10-15 counter
iptables-translate -A INPUT -p dccp -m dccp --dport 100 --dccp-types REQUEST,RESPONSE,DATA,ACK,DATAACK,CLOSEREQ,CLOSE,SYNC,SYNCACK,INVALID
-nft add rule ip filter INPUT dccp dport 100 dccp type {request, response, data, ack, dataack, closereq, close, sync, syncack, 10-15} counter
+nft add rule ip filter INPUT dccp dport 100 dccp type { request, response, data, ack, dataack, closereq, close, sync, syncack, 10-15 } counter
iptables-translate -A INPUT -p dccp -m dccp --sport 200 --dport 100
nft add rule ip filter INPUT dccp sport 200 dccp dport 100 counter
diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c
index 93ee1c32..24e784ab 100644
--- a/extensions/libxt_hashlimit.c
+++ b/extensions/libxt_hashlimit.c
@@ -1270,7 +1270,7 @@ static void hashlimit_print_subnet_xlate(struct xt_xlate *xl,
}
}
- xt_xlate_add(xl, fmt, acm);
+ xt_xlate_add_nospc(xl, fmt, acm);
if (nblocks > 0)
xt_xlate_add(xl, "%c", sep);
}
diff --git a/extensions/libxt_hashlimit.txlate b/extensions/libxt_hashlimit.txlate
index 6c8d07f1..251a30d3 100644
--- a/extensions/libxt_hashlimit.txlate
+++ b/extensions/libxt_hashlimit.txlate
@@ -1,5 +1,5 @@
iptables-translate -A OUTPUT -m tcp -p tcp --dport 443 -m hashlimit --hashlimit-above 20kb/s --hashlimit-burst 1mb --hashlimit-mode dstip --hashlimit-name https --hashlimit-dstmask 24 -m state --state NEW -j DROP
-nft add rule ip filter OUTPUT tcp dport 443 meter https { ip daddr and 255.255.255.0 timeout 60s limit rate over 20 kbytes/second burst 1 mbytes} ct state new counter drop
+nft add rule ip filter OUTPUT tcp dport 443 meter https { ip daddr and 255.255.255.0 timeout 60s limit rate over 20 kbytes/second burst 1 mbytes } ct state new counter drop
iptables-translate -A OUTPUT -m tcp -p tcp --dport 443 -m hashlimit --hashlimit-upto 300 --hashlimit-burst 15 --hashlimit-mode srcip,dstip --hashlimit-name https --hashlimit-htable-expire 300000 -m state --state NEW -j DROP
-nft add rule ip filter OUTPUT tcp dport 443 meter https { ip daddr . ip saddr timeout 300s limit rate 300/second burst 15 packets} ct state new counter drop
+nft add rule ip filter OUTPUT tcp dport 443 meter https { ip daddr . ip saddr timeout 300s limit rate 300/second burst 15 packets } ct state new counter drop
diff --git a/extensions/libxt_multiport.txlate b/extensions/libxt_multiport.txlate
index bced1b84..bf015265 100644
--- a/extensions/libxt_multiport.txlate
+++ b/extensions/libxt_multiport.txlate
@@ -1,5 +1,5 @@
iptables-translate -t filter -A INPUT -p tcp -m multiport --dports 80,81 -j ACCEPT
-nft add rule ip filter INPUT ip protocol tcp tcp dport { 80,81} counter accept
+nft add rule ip filter INPUT ip protocol tcp tcp dport { 80,81 } counter accept
iptables-translate -t filter -A INPUT -p tcp -m multiport --dports 80:88 -j ACCEPT
nft add rule ip filter INPUT ip protocol tcp tcp dport 80-88 counter accept
diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
index 043382d4..2ef84299 100644
--- a/extensions/libxt_tcp.c
+++ b/extensions/libxt_tcp.c
@@ -380,10 +380,9 @@ static void print_tcp_xlate(struct xt_xlate *xl, uint8_t flags)
for (i = 0; (flags & tcp_flag_names_xlate[i].flag) == 0; i++);
- if (have_flag)
- xt_xlate_add(xl, ",");
-
- xt_xlate_add(xl, "%s", tcp_flag_names_xlate[i].name);
+ xt_xlate_add(xl, "%s%s",
+ have_flag ? "," : "",
+ tcp_flag_names_xlate[i].name);
have_flag = 1;
flags &= ~tcp_flag_names_xlate[i].flag;
diff --git a/extensions/libxt_time.txlate b/extensions/libxt_time.txlate
index ff4a7b88..2083ab94 100644
--- a/extensions/libxt_time.txlate
+++ b/extensions/libxt_time.txlate
@@ -1,5 +1,5 @@
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --weekdays Sa,Su -j REJECT
-nft add rule ip filter INPUT icmp type echo-request meta day {6,0} counter reject
+nft add rule ip filter INPUT icmp type echo-request meta day { 6,0 } counter reject
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --timestart 12:00 -j REJECT
nft add rule ip filter INPUT icmp type echo-request meta hour "12:00:00"-"23:59:59" counter reject
@@ -20,7 +20,7 @@ iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestart
nft add rule ip filter INPUT icmp type echo-request meta time "2020-01-29 00:00:00"-"2038-01-19 03:14:07" meta hour "12:00:00"-"23:59:59" counter reject
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestart 2020-01-29T00:00:00 --timestart 12:00 --timestop 19:00 --weekdays Mon,Tue,Wed,Thu,Fri -j REJECT
-nft add rule ip filter INPUT icmp type echo-request meta time "2020-01-29 00:00:00"-"2038-01-19 03:14:07" meta hour "12:00:00"-"19:00:00" meta day {1,2,3,4,5} counter reject
+nft add rule ip filter INPUT icmp type echo-request meta time "2020-01-29 00:00:00"-"2038-01-19 03:14:07" meta hour "12:00:00"-"19:00:00" meta day { 1,2,3,4,5 } counter reject
iptables-translate -A INPUT -p icmp --icmp-type echo-request -m time --datestart 2020-01-29T00:00:00 --timestart 12:00 --timestop 19:00 ! --weekdays Mon,Tue,Wed,Thu,Fri -j REJECT
-nft add rule ip filter INPUT icmp type echo-request meta time "2020-01-29 00:00:00"-"2038-01-19 03:14:07" meta hour "12:00:00"-"19:00:00" meta day {6,0} counter reject
+nft add rule ip filter INPUT icmp type echo-request meta time "2020-01-29 00:00:00"-"2038-01-19 03:14:07" meta hour "12:00:00"-"19:00:00" meta day { 6,0 } counter reject