From d007e1a59e4beaddab430992302d43b122ffc801 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 11 Feb 2014 13:58:03 +0100 Subject: nft-compat: fix IP6T_F_GOTO flag handling IPT_F_GOTO and IP6T_F_GOTO don't overlap, so this need special handling to avoid misinterpretations. Signed-off-by: Pablo Neira Ayuso --- iptables/nft-ipv4.c | 8 +++++++- iptables/nft-ipv6.c | 14 +++++++++----- iptables/nft-shared.c | 5 +---- iptables/nft.c | 4 ++-- iptables/nft.h | 2 +- 5 files changed, 20 insertions(+), 13 deletions(-) (limited to 'iptables') diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 02645a29..d05e80eb 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -76,7 +76,7 @@ static int nft_ipv4_add(struct nft_rule *r, void *data) if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0) return -1; - return add_action(r, cs, cs->fw.ip.flags); + return add_action(r, cs, !!(cs->fw.ip.flags & IPT_F_GOTO)); } static bool nft_ipv4_is_same(const void *data_a, @@ -331,6 +331,12 @@ static void nft_ipv4_save_firewall(const void *data, unsigned int format) save_matches_and_target(cs->matches, cs->target, cs->jumpto, cs->fw.ip.flags, &cs->fw); + + if (cs->target == NULL && strlen(cs->jumpto) > 0) { + printf("-%c %s", cs->fw.ip.flags & IPT_F_GOTO ? 'g' : 'j', + cs->jumpto); + } + printf("\n"); } static void nft_ipv4_proto_parse(struct iptables_command_state *cs, diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 7c8b43fc..f08598ae 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -59,7 +59,7 @@ static int nft_ipv6_add(struct nft_rule *r, void *data) if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0) return -1; - return add_action(r, cs, cs->fw6.ipv6.flags); + return add_action(r, cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO)); } static bool nft_ipv6_is_same(const void *data_a, @@ -138,7 +138,7 @@ static void nft_ipv6_parse_immediate(const char *jumpto, bool nft_goto, cs->jumpto = jumpto; if (nft_goto) - cs->fw6.ipv6.flags |= IPT_F_GOTO; + cs->fw6.ipv6.flags |= IP6T_F_GOTO; } static void print_ipv6_addr(const struct iptables_command_state *cs, @@ -195,10 +195,8 @@ static void nft_ipv6_print_firewall(struct nft_rule *r, unsigned int num, if (format & FMT_NOTABLE) fputs(" ", stdout); -#ifdef IPT_F_GOTO - if (cs.fw6.ipv6.flags & IPT_F_GOTO) + if (cs.fw6.ipv6.flags & IP6T_F_GOTO) printf("[goto] "); -#endif print_matches_and_target(&cs, format); @@ -234,6 +232,12 @@ static void nft_ipv6_save_firewall(const void *data, unsigned int format) save_matches_and_target(cs->matches, cs->target, cs->jumpto, cs->fw6.ipv6.flags, &cs->fw6); + + if (cs->target == NULL && strlen(cs->jumpto) > 0) { + printf("-%c %s", cs->fw6.ipv6.flags & IP6T_F_GOTO ? 'g' : 'j', + cs->jumpto); + } + printf("\n"); } /* These are invalid numbers as upper layer protocol */ diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index dce8a34a..ada71e6b 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -648,10 +648,7 @@ void save_matches_and_target(struct xtables_rule_match *m, if (target->save != NULL) target->save(fw, target->t); - } else if (strlen(jumpto) > 0) - printf("-%c %s", flags & IPT_F_GOTO ? 'g' : 'j', jumpto); - - printf("\n"); + } } void print_matches_and_target(struct iptables_command_state *cs, diff --git a/iptables/nft.c b/iptables/nft.c index 515d124a..a45d599b 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -864,7 +864,7 @@ int add_verdict(struct nft_rule *r, int verdict) } int add_action(struct nft_rule *r, struct iptables_command_state *cs, - int ip_flags) + bool goto_set) { int ret = 0; @@ -881,7 +881,7 @@ int add_action(struct nft_rule *r, struct iptables_command_state *cs, ret = add_target(r, cs->target->t); } else if (strlen(cs->jumpto) > 0) { /* Not standard, then it's a go / jump to chain */ - if (ip_flags & IPT_F_GOTO) + if (goto_set) ret = add_jumpto(r, cs->jumpto, NFT_GOTO); else ret = add_jumpto(r, cs->jumpto, NFT_JUMP); diff --git a/iptables/nft.h b/iptables/nft.h index 8670f343..92488764 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -107,7 +107,7 @@ int add_verdict(struct nft_rule *r, int verdict); int add_match(struct nft_rule *r, struct xt_entry_match *m); int add_target(struct nft_rule *r, struct xt_entry_target *t); int add_jumpto(struct nft_rule *r, const char *name, int verdict); -int add_action(struct nft_rule *r, struct iptables_command_state *cs, int ip_flags); +int add_action(struct nft_rule *r, struct iptables_command_state *cs, bool goto_set); enum nft_rule_print { NFT_RULE_APPEND, -- cgit v1.2.3