diff options
author | Phil Sutter <phil@nwl.cc> | 2022-10-22 15:26:56 +0200 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2022-12-02 01:47:32 +0100 |
commit | 29387a190f5ba04fb8a902dce9602292979a9ba2 (patch) | |
tree | 3a93aee2a6e8710ba77a0ec84bfc7b636643b891 /iptables | |
parent | 5baa4279264bb4ab93c6e80b4887f2bd29691446 (diff) |
nft: Recognize INVAL/D interface name
It is just a hack to translate '! -i +' into a never matching nft rule,
but recognize it anyway for completeness' sake and to make xlate replay
test pass.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables')
-rw-r--r-- | iptables/nft-shared.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 2bb46709..56acbd45 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -359,6 +359,21 @@ static int parse_meta_pkttype(struct nft_xt_ctx *ctx, struct nftnl_expr *e) return 0; } +static void parse_invalid_iface(char *iface, unsigned char *mask, + uint8_t *invflags, uint8_t invbit) +{ + if (*invflags & invbit || strcmp(iface, "INVAL/D")) + return; + + /* nft's poor "! -o +" excuse */ + *invflags |= invbit; + iface[0] = '+'; + iface[1] = '\0'; + mask[0] = 0xff; + mask[1] = 0xff; + memset(mask + 2, 0, IFNAMSIZ - 2); +} + int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key, char *iniface, unsigned char *iniface_mask, char *outiface, unsigned char *outiface_mask, uint8_t *invflags) @@ -393,6 +408,8 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key, *invflags |= IPT_INV_VIA_IN; parse_ifname(ifname, len, iniface, iniface_mask); + parse_invalid_iface(iniface, iniface_mask, + invflags, IPT_INV_VIA_IN); break; case NFT_META_BRI_OIFNAME: case NFT_META_OIFNAME: @@ -401,6 +418,8 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key, *invflags |= IPT_INV_VIA_OUT; parse_ifname(ifname, len, outiface, outiface_mask); + parse_invalid_iface(outiface, outiface_mask, + invflags, IPT_INV_VIA_OUT); break; case NFT_META_MARK: parse_meta_mark(ctx, e); |