From 68c57e809f69108694cce2d502a3ed1c328d13e8 Mon Sep 17 00:00:00 2001
From: "Pablo M. Bermudo Garay" <pablombg@gmail.com>
Date: Tue, 26 Jul 2016 18:45:24 +0200
Subject: xtables-translate: fix issue with quotes

Some translations included escaped quotes when they were called from
nft:

$ sudo nft list ruleset
table ip mangle {
    chain FORWARD {
        type filter hook forward priority -150; policy accept;
        ct helper \"ftp\" counter packets 0 bytes 0
                  ^^   ^^
    }
}

This behavior is only correct when xlate functions are called from a
xtables-translate command. This patch solves that issue using a new
parameter (escape_quotes) in the xlate functions.

Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 extensions/libip6t_LOG.c     |  8 ++++++--
 extensions/libipt_LOG.c      |  8 ++++++--
 extensions/libxt_NFLOG.c     | 13 +++++++++----
 extensions/libxt_helper.c    |  8 ++++++--
 include/xtables.h            |  2 ++
 iptables/xtables-translate.c |  2 ++
 6 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c
index cf5f8df5..af77b9a5 100644
--- a/extensions/libip6t_LOG.c
+++ b/extensions/libip6t_LOG.c
@@ -190,8 +190,12 @@ static int LOG_xlate(struct xt_xlate *xl,
 	unsigned int i = 0;
 
 	xt_xlate_add(xl, "log ");
-	if (strcmp(loginfo->prefix, "") != 0)
-		xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix);
+	if (strcmp(loginfo->prefix, "") != 0) {
+		if (params->escape_quotes)
+			xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix);
+		else
+			xt_xlate_add(xl, "prefix \"%s\" ", loginfo->prefix);
+	}
 
 	for (i = 0; i < ARRAY_SIZE(ip6t_log_xlate_names); ++i)
 		if (loginfo->level == ip6t_log_xlate_names[i].level &&
diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c
index 996dfb60..2784d9bc 100644
--- a/extensions/libipt_LOG.c
+++ b/extensions/libipt_LOG.c
@@ -190,8 +190,12 @@ static int LOG_xlate(struct xt_xlate *xl,
 	unsigned int i = 0;
 
 	xt_xlate_add(xl, "log ");
-	if (strcmp(loginfo->prefix, "") != 0)
-		xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix);
+	if (strcmp(loginfo->prefix, "") != 0) {
+		if (params->escape_quotes)
+			xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix);
+		else
+			xt_xlate_add(xl, "prefix \"%s\" ", loginfo->prefix);
+	}
 
 	for (i = 0; i < ARRAY_SIZE(ipt_log_xlate_names); ++i)
 		if (loginfo->level != LOG_DEFAULT_LEVEL &&
diff --git a/extensions/libxt_NFLOG.c b/extensions/libxt_NFLOG.c
index e6d627af..02a1b4aa 100644
--- a/extensions/libxt_NFLOG.c
+++ b/extensions/libxt_NFLOG.c
@@ -107,11 +107,16 @@ static void NFLOG_save(const void *ip, const struct xt_entry_target *target)
 }
 
 static void nflog_print_xlate(const struct xt_nflog_info *info,
-			      struct xt_xlate *xl)
+			      struct xt_xlate *xl, bool escape_quotes)
 {
 	xt_xlate_add(xl, "log ");
-	if (info->prefix[0] != '\0')
-		xt_xlate_add(xl, "prefix \\\"%s\\\" ", info->prefix);
+	if (info->prefix[0] != '\0') {
+		if (escape_quotes)
+			xt_xlate_add(xl, "prefix \\\"%s\\\" ", info->prefix);
+		else
+			xt_xlate_add(xl, "prefix \"%s\" ", info->prefix);
+
+	}
 	if (info->flags & XT_NFLOG_F_COPY_LEN)
 		xt_xlate_add(xl, "snaplen %u ", info->len);
 	if (info->threshold != XT_NFLOG_DEFAULT_THRESHOLD)
@@ -125,7 +130,7 @@ static int NFLOG_xlate(struct xt_xlate *xl,
 	const struct xt_nflog_info *info =
 		(struct xt_nflog_info *)params->target->data;
 
-	nflog_print_xlate(info, xl);
+	nflog_print_xlate(info, xl, params->escape_quotes);
 
 	return 1;
 }
diff --git a/extensions/libxt_helper.c b/extensions/libxt_helper.c
index 6860127b..2afbf996 100644
--- a/extensions/libxt_helper.c
+++ b/extensions/libxt_helper.c
@@ -50,8 +50,12 @@ static int helper_xlate(struct xt_xlate *xl,
 {
 	const struct xt_helper_info *info = (const void *)params->match->data;
 
-	xt_xlate_add(xl, "ct helper%s \\\"%s\\\"",
-		   info->invert ? " !=" : "", info->name);
+	if (params->escape_quotes)
+		xt_xlate_add(xl, "ct helper%s \\\"%s\\\"",
+			   info->invert ? " !=" : "", info->name);
+	else
+		xt_xlate_add(xl, "ct helper%s \"%s\"",
+			   info->invert ? " !=" : "", info->name);
 
 	return 1;
 }
diff --git a/include/xtables.h b/include/xtables.h
index 73ab8256..e9bc3b7d 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -211,12 +211,14 @@ struct xt_xlate_mt_params {
 	const void			*ip;
 	const struct xt_entry_match	*match;
 	int				numeric;
+	bool				escape_quotes;
 };
 
 struct xt_xlate_tg_params {
 	const void			*ip;
 	const struct xt_entry_target	*target;
 	int				numeric;
+	bool				escape_quotes;
 };
 
 /* Include file for additions: new matches and targets. */
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 678228b2..9044d27c 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -53,6 +53,7 @@ int xlate_action(const struct iptables_command_state *cs, bool goto_set,
 				.ip		= (const void *)&cs->fw,
 				.target		= cs->target->t,
 				.numeric	= numeric,
+				.escape_quotes	= true,
 			};
 			ret = cs->target->xlate(xl, &params);
 		}
@@ -79,6 +80,7 @@ int xlate_matches(const struct iptables_command_state *cs, struct xt_xlate *xl)
 			.ip		= (const void *)&cs->fw,
 			.match		= matchp->match->m,
 			.numeric	= numeric,
+			.escape_quotes	= true,
 		};
 
 		if (!matchp->match->xlate)
-- 
cgit v1.2.3