diff options
Diffstat (limited to 'extensions')
-rw-r--r-- | extensions/libxt_conntrack.c | 30 | ||||
-rw-r--r-- | extensions/libxt_conntrack.txlate | 8 |
2 files changed, 28 insertions, 10 deletions
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c index 91f9e4aa..7f7b45ee 100644 --- a/extensions/libxt_conntrack.c +++ b/extensions/libxt_conntrack.c @@ -1200,26 +1200,39 @@ static int state_xlate(struct xt_xlate *xl, return 1; } -static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask) +static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask, int inverted) { const char *sep = ""; + int one_flag_set; + + one_flag_set = !(statusmask & (statusmask - 1)); + + if (inverted && !one_flag_set) + xt_xlate_add(xl, "& ("); + else if (inverted) + xt_xlate_add(xl, "& "); if (statusmask & IPS_EXPECTED) { xt_xlate_add(xl, "%s%s", sep, "expected"); - sep = ","; + sep = inverted && !one_flag_set ? "|" : ","; } if (statusmask & IPS_SEEN_REPLY) { xt_xlate_add(xl, "%s%s", sep, "seen-reply"); - sep = ","; + sep = inverted && !one_flag_set ? "|" : ","; } if (statusmask & IPS_ASSURED) { xt_xlate_add(xl, "%s%s", sep, "assured"); - sep = ","; + sep = inverted && !one_flag_set ? "|" : ","; } if (statusmask & IPS_CONFIRMED) { xt_xlate_add(xl, "%s%s", sep, "confirmed"); - sep = ","; + sep = inverted && !one_flag_set ? "|" : ","; } + + if (inverted && !one_flag_set) + xt_xlate_add(xl, ") == 0"); + else if (inverted) + xt_xlate_add(xl, " == 0"); } static void addr_xlate_print(struct xt_xlate *xl, @@ -1277,10 +1290,9 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl, } if (sinfo->match_flags & XT_CONNTRACK_STATUS) { - xt_xlate_add(xl, "%sct status %s", space, - sinfo->invert_flags & XT_CONNTRACK_STATUS ? - "!= " : ""); - status_xlate_print(xl, sinfo->status_mask); + xt_xlate_add(xl, "%sct status ", space); + status_xlate_print(xl, sinfo->status_mask, + sinfo->invert_flags & XT_CONNTRACK_STATUS); space = " "; } diff --git a/extensions/libxt_conntrack.txlate b/extensions/libxt_conntrack.txlate index 5ab85b17..8cc7c504 100644 --- a/extensions/libxt_conntrack.txlate +++ b/extensions/libxt_conntrack.txlate @@ -35,7 +35,13 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstatus EXPECTED -j ACCEPT nft add rule ip filter INPUT ct status expected counter accept iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT -nft add rule ip filter INPUT ct status != confirmed counter accept +nft add rule ip filter INPUT ct status & confirmed == 0 counter accept + +iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED,ASSURED -j ACCEPT +nft add rule ip filter INPUT ct status & (assured|confirmed) == 0 counter accept + +iptables-translate -t filter -A INPUT -m conntrack --ctstatus CONFIRMED,ASSURED -j ACCEPT +nft add rule ip filter INPUT ct status assured,confirmed counter accept iptables-translate -t filter -A INPUT -m conntrack --ctexpire 3 -j ACCEPT nft add rule ip filter INPUT ct expiration 3 counter accept |