From f035be35c749d5c5cbb7ffdbcd1c548b91bd3033 Mon Sep 17 00:00:00 2001 From: "Pablo M. Bermudo Garay" Date: Sat, 9 Jul 2016 12:27:51 +0200 Subject: xtables-translate: fix multiple spaces issue This patch fixes a multiple spaces issue. The problem arises when a rule set loaded through iptables-compat-restore is listed in nft. Before this commit, two spaces were printed after every match translation: $ sudo iptables-save *filter :INPUT ACCEPT [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m multiport --dports 80:85 -m ttl --ttl-gt 5 -j ACCEPT COMMIT $ sudo iptables-compat-restore iptables-save $ sudo nft list ruleset table ip filter { chain INPUT { type filter hook input priority 0; policy accept; ct state related,established counter packets 0 bytes 0 accept ^^ ip protocol tcp tcp dport 80-85 ip ttl gt 5 counter packets 0 bytes 0 accept ^^ ^^ } } Signed-off-by: Pablo M. Bermudo Garay Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_iprange.c | 38 +++++++++++++++++++++++++------------- 1 file changed, 25 insertions(+), 13 deletions(-) (limited to 'extensions/libxt_iprange.c') diff --git a/extensions/libxt_iprange.c b/extensions/libxt_iprange.c index 8da7de1c..d68df480 100644 --- a/extensions/libxt_iprange.c +++ b/extensions/libxt_iprange.c @@ -319,17 +319,21 @@ static int iprange_xlate(const void *ip, const struct xt_entry_match *match, struct xt_xlate *xl, int numeric) { const struct ipt_iprange_info *info = (const void *)match->data; + char *space = ""; if (info->flags & IPRANGE_SRC) { if (info->flags & IPRANGE_SRC_INV) xt_xlate_add(xl, "!= "); xt_xlate_add(xl, "ip saddr"); print_iprange_xlate(&info->src, xl); + space = " "; } if (info->flags & IPRANGE_DST) { - if (info->flags & IPRANGE_DST_INV) - xt_xlate_add(xl, "!= "); - xt_xlate_add(xl, "ip daddr"); + if (info->flags & IPRANGE_DST_INV) { + xt_xlate_add(xl, "%s!= ", space); + space = ""; + } + xt_xlate_add(xl, "%sip daddr", space); print_iprange_xlate(&info->dst, xl); } @@ -340,21 +344,25 @@ static int iprange_mt4_xlate(const void *ip, const struct xt_entry_match *match, struct xt_xlate *xl, int numeric) { const struct xt_iprange_mtinfo *info = (const void *)match->data; + char *space = ""; if (info->flags & IPRANGE_SRC) { if (info->flags & IPRANGE_SRC_INV) xt_xlate_add(xl, "!= "); xt_xlate_add(xl, "ip saddr %s", xtables_ipaddr_to_numeric(&info->src_min.in)); - xt_xlate_add(xl, "-%s ", + xt_xlate_add(xl, "-%s", xtables_ipaddr_to_numeric(&info->src_max.in)); + space = " "; } if (info->flags & IPRANGE_DST) { - if (info->flags & IPRANGE_DST_INV) - xt_xlate_add(xl, "!= "); - xt_xlate_add(xl, "ip daddr %s", + if (info->flags & IPRANGE_DST_INV) { + xt_xlate_add(xl, "%s!= ", space); + space = ""; + } + xt_xlate_add(xl, "%sip daddr %s", space, xtables_ipaddr_to_numeric(&info->dst_min.in)); - xt_xlate_add(xl, "-%s ", + xt_xlate_add(xl, "-%s", xtables_ipaddr_to_numeric(&info->dst_max.in)); } @@ -365,21 +373,25 @@ static int iprange_mt6_xlate(const void *ip, const struct xt_entry_match *match, struct xt_xlate *xl, int numeric) { const struct xt_iprange_mtinfo *info = (const void *)match->data; + char *space = ""; if (info->flags & IPRANGE_SRC) { if (info->flags & IPRANGE_SRC_INV) xt_xlate_add(xl, "!= "); xt_xlate_add(xl, "ip saddr %s", xtables_ip6addr_to_numeric(&info->src_min.in6)); - xt_xlate_add(xl, "-%s ", + xt_xlate_add(xl, "-%s", xtables_ip6addr_to_numeric(&info->src_max.in6)); + space = " "; } if (info->flags & IPRANGE_DST) { - if (info->flags & IPRANGE_DST_INV) - xt_xlate_add(xl, "!= "); - xt_xlate_add(xl, "ip daddr %s", + if (info->flags & IPRANGE_DST_INV) { + xt_xlate_add(xl, "%s!= ", space); + space = ""; + } + xt_xlate_add(xl, "%sip daddr %s", space, xtables_ip6addr_to_numeric(&info->dst_min.in6)); - xt_xlate_add(xl, "-%s ", + xt_xlate_add(xl, "-%s", xtables_ip6addr_to_numeric(&info->dst_max.in6)); } -- cgit v1.2.3