diff options
| author | Arturo Borrero <arturo.borrero.glez@gmail.com> | 2014-11-12 13:00:12 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-11-12 13:16:57 +0100 |
| commit | c82bf9f79bbc299de428fdc2e204d571b6cbc50d (patch) | |
| tree | 984f4940c32af3d41e1598545a1e4e4b4b321659 /iptables/nft-ipv4.c | |
| parent | df3741332d86629a8fdd267930e0a249803f6aa8 (diff) | |
iptables-compat: kill add_*() invflags parameter
Let's kill the invflags parameter and use directly NFT_CMP_[N]EQ.
The caller must calculate which kind of cmp operation requires.
BTW, this patch solves absence of inversion in some arptables-compat
builtin matches. Thus, translating arptables inv flags is no longer needed.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/nft-ipv4.c')
| -rw-r--r-- | iptables/nft-ipv4.c | 30 |
1 files changed, 17 insertions, 13 deletions
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index a2c58060..1b0dc2a1 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -31,25 +31,33 @@ static int nft_ipv4_add(struct nft_rule *r, void *data) struct xtables_rule_match *matchp; uint32_t op; - if (cs->fw.ip.iniface[0] != '\0') - add_iniface(r, cs->fw.ip.iniface, cs->fw.ip.invflags); + if (cs->fw.ip.iniface[0] != '\0') { + op = nft_invflags2cmp(cs->fw.ip.invflags, IPT_INV_VIA_IN); + add_iniface(r, cs->fw.ip.iniface, op); + } - if (cs->fw.ip.outiface[0] != '\0') - add_outiface(r, cs->fw.ip.outiface, cs->fw.ip.invflags); + if (cs->fw.ip.outiface[0] != '\0') { + op = nft_invflags2cmp(cs->fw.ip.invflags, IPT_INV_VIA_OUT); + add_outiface(r, cs->fw.ip.outiface, op); + } - if (cs->fw.ip.proto != 0) + if (cs->fw.ip.proto != 0) { + op = nft_invflags2cmp(cs->fw.ip.invflags, XT_INV_PROTO); add_proto(r, offsetof(struct iphdr, protocol), 1, - cs->fw.ip.proto, cs->fw.ip.invflags); + cs->fw.ip.proto, op); + } if (cs->fw.ip.src.s_addr != 0) { + op = nft_invflags2cmp(cs->fw.ip.invflags, IPT_INV_SRCIP); add_addr(r, offsetof(struct iphdr, saddr), &cs->fw.ip.src.s_addr, &cs->fw.ip.smsk.s_addr, - sizeof(struct in_addr), cs->fw.ip.invflags); + sizeof(struct in_addr), op); } if (cs->fw.ip.dst.s_addr != 0) { + op = nft_invflags2cmp(cs->fw.ip.invflags, IPT_INV_DSTIP); add_addr(r, offsetof(struct iphdr, daddr), &cs->fw.ip.dst.s_addr, &cs->fw.ip.dmsk.s_addr, - sizeof(struct in_addr), cs->fw.ip.invflags); + sizeof(struct in_addr), op); } if (cs->fw.ip.flags & IPT_F_FRAG) { add_payload(r, offsetof(struct iphdr, frag_off), 2); @@ -57,11 +65,7 @@ static int nft_ipv4_add(struct nft_rule *r, void *data) add_bitwise_u16(r, 0x1fff, !0x1fff); /* if offset is non-zero, this is a fragment */ - if (cs->fw.ip.invflags & IPT_INV_FRAG) - op = NFT_CMP_EQ; - else - op = NFT_CMP_NEQ; - + op = nft_invflags2cmp(cs->fw.ip.invflags, IPT_INV_FRAG); add_cmp_u16(r, 0, op); } |