diff options
author | Phil Sutter <phil@nwl.cc> | 2022-12-01 15:08:01 +0100 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2022-12-02 01:47:32 +0100 |
commit | 5baa4279264bb4ab93c6e80b4887f2bd29691446 (patch) | |
tree | aa419b31e3320b66213fd0842da4a0a3eb0e25e1 /iptables | |
parent | f200aca7ff7b6a0edbe9024f0543b3f58111c50e (diff) |
nft: Fix match generator for '! -i +'
It's actually nonsense since it will never match, but iptables accepts
it and the resulting nftables rule must behave identically. Reuse the
solution implemented into xtables-translate (by commit e179e87a1179e)
and turn the above match into 'iifname INVAL/D'.
The commit this fixes merely ignored the fact that "any interface" match
might be inverted.
Fixes: 0a8635183edd0 ("xtables-compat: ignore '+' interface name")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables')
-rw-r--r-- | iptables/nft-shared.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 03e13fdc..2bb46709 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -168,6 +168,9 @@ void add_iniface(struct nft_handle *h, struct nftnl_rule *r, if (iface[iface_len - 1] == '+') { if (iface_len > 1) add_cmp_ptr(r, op, iface, iface_len - 1, reg); + else if (op != NFT_CMP_EQ) + add_cmp_ptr(r, NFT_CMP_EQ, "INVAL/D", + strlen("INVAL/D") + 1, reg); } else { add_cmp_ptr(r, op, iface, iface_len + 1, reg); } @@ -185,6 +188,9 @@ void add_outiface(struct nft_handle *h, struct nftnl_rule *r, if (iface[iface_len - 1] == '+') { if (iface_len > 1) add_cmp_ptr(r, op, iface, iface_len - 1, reg); + else if (op != NFT_CMP_EQ) + add_cmp_ptr(r, NFT_CMP_EQ, "INVAL/D", + strlen("INVAL/D") + 1, reg); } else { add_cmp_ptr(r, op, iface, iface_len + 1, reg); } |