summaryrefslogtreecommitdiffstats
path: root/iptables/nft-ipv6.c
diff options
context:
space:
mode:
authorLiping Zhang <liping.zhang@spreadtrum.com>2016-07-30 13:20:59 +0800
committerPablo Neira Ayuso <pablo@netfilter.org>2016-08-01 14:21:27 +0200
commit0ddd663e9c167f9f0451dac8c02bbfcda25fe15e (patch)
treecf45f737d411decb39d13c4bec30a3872a94f7f9 /iptables/nft-ipv6.c
parent68c57e809f69108694cce2d502a3ed1c328d13e8 (diff)
iptables-translate: add in/out ifname wildcard match translation to nft
In iptables, "-i eth+" means match all in ifname with the prefix "eth". But in nftables, this was changed to "iifname eth*". So we should handle this subtle difference. Apply this patch, translation will become: # iptables-translate -A INPUT -i eth+ nft add rule ip filter INPUT iifname eth* counter # ip6tables-translate -A OUTPUT ! -o eth+ nft add rule ip6 filter OUTPUT oifname != eth* counter Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/nft-ipv6.c')
-rw-r--r--iptables/nft-ipv6.c16
1 files changed, 4 insertions, 12 deletions
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index bfbf8dff..8ca523c8 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -404,18 +404,10 @@ static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl)
const char *comment;
int ret;
- if (cs->fw6.ipv6.iniface[0] != '\0') {
- xt_xlate_add(xl, "iifname %s%s ",
- cs->fw6.ipv6.invflags & IP6T_INV_VIA_IN ?
- "!= " : "",
- cs->fw6.ipv6.iniface);
- }
- if (cs->fw6.ipv6.outiface[0] != '\0') {
- xt_xlate_add(xl, "oifname %s%s ",
- cs->fw6.ipv6.invflags & IP6T_INV_VIA_OUT ?
- "!= " : "",
- cs->fw6.ipv6.outiface);
- }
+ xlate_ifname(xl, "iifname", cs->fw6.ipv6.iniface,
+ cs->fw6.ipv6.invflags & IP6T_INV_VIA_IN);
+ xlate_ifname(xl, "oifname", cs->fw6.ipv6.outiface,
+ cs->fw6.ipv6.invflags & IP6T_INV_VIA_OUT);
if (cs->fw6.ipv6.proto != 0) {
const struct protoent *pent =