diff options
| author | Pablo M. Bermudo Garay <pablombg@gmail.com> | 2016-07-26 18:45:24 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-07-27 13:56:51 +0200 |
| commit | 68c57e809f69108694cce2d502a3ed1c328d13e8 (patch) | |
| tree | 862c9d4e3cc4a15d9f800d98f9757eaea694a255 | |
| parent | 6604bc6131bf059bce458040ed6b93bcd37fb635 (diff) | |
xtables-translate: fix issue with quotes
Some translations included escaped quotes when they were called from
nft:
$ sudo nft list ruleset
table ip mangle {
chain FORWARD {
type filter hook forward priority -150; policy accept;
ct helper \"ftp\" counter packets 0 bytes 0
^^ ^^
}
}
This behavior is only correct when xlate functions are called from a
xtables-translate command. This patch solves that issue using a new
parameter (escape_quotes) in the xlate functions.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | extensions/libip6t_LOG.c | 8 | ||||
| -rw-r--r-- | extensions/libipt_LOG.c | 8 | ||||
| -rw-r--r-- | extensions/libxt_NFLOG.c | 13 | ||||
| -rw-r--r-- | extensions/libxt_helper.c | 8 | ||||
| -rw-r--r-- | include/xtables.h | 2 | ||||
| -rw-r--r-- | iptables/xtables-translate.c | 2 |
6 files changed, 31 insertions, 10 deletions
diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c index cf5f8df5..af77b9a5 100644 --- a/extensions/libip6t_LOG.c +++ b/extensions/libip6t_LOG.c @@ -190,8 +190,12 @@ static int LOG_xlate(struct xt_xlate *xl, unsigned int i = 0; xt_xlate_add(xl, "log "); - if (strcmp(loginfo->prefix, "") != 0) - xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix); + if (strcmp(loginfo->prefix, "") != 0) { + if (params->escape_quotes) + xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix); + else + xt_xlate_add(xl, "prefix \"%s\" ", loginfo->prefix); + } for (i = 0; i < ARRAY_SIZE(ip6t_log_xlate_names); ++i) if (loginfo->level == ip6t_log_xlate_names[i].level && diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c index 996dfb60..2784d9bc 100644 --- a/extensions/libipt_LOG.c +++ b/extensions/libipt_LOG.c @@ -190,8 +190,12 @@ static int LOG_xlate(struct xt_xlate *xl, unsigned int i = 0; xt_xlate_add(xl, "log "); - if (strcmp(loginfo->prefix, "") != 0) - xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix); + if (strcmp(loginfo->prefix, "") != 0) { + if (params->escape_quotes) + xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix); + else + xt_xlate_add(xl, "prefix \"%s\" ", loginfo->prefix); + } for (i = 0; i < ARRAY_SIZE(ipt_log_xlate_names); ++i) if (loginfo->level != LOG_DEFAULT_LEVEL && diff --git a/extensions/libxt_NFLOG.c b/extensions/libxt_NFLOG.c index e6d627af..02a1b4aa 100644 --- a/extensions/libxt_NFLOG.c +++ b/extensions/libxt_NFLOG.c @@ -107,11 +107,16 @@ static void NFLOG_save(const void *ip, const struct xt_entry_target *target) } static void nflog_print_xlate(const struct xt_nflog_info *info, - struct xt_xlate *xl) + struct xt_xlate *xl, bool escape_quotes) { xt_xlate_add(xl, "log "); - if (info->prefix[0] != '\0') - xt_xlate_add(xl, "prefix \\\"%s\\\" ", info->prefix); + if (info->prefix[0] != '\0') { + if (escape_quotes) + xt_xlate_add(xl, "prefix \\\"%s\\\" ", info->prefix); + else + xt_xlate_add(xl, "prefix \"%s\" ", info->prefix); + + } if (info->flags & XT_NFLOG_F_COPY_LEN) xt_xlate_add(xl, "snaplen %u ", info->len); if (info->threshold != XT_NFLOG_DEFAULT_THRESHOLD) @@ -125,7 +130,7 @@ static int NFLOG_xlate(struct xt_xlate *xl, const struct xt_nflog_info *info = (struct xt_nflog_info *)params->target->data; - nflog_print_xlate(info, xl); + nflog_print_xlate(info, xl, params->escape_quotes); return 1; } diff --git a/extensions/libxt_helper.c b/extensions/libxt_helper.c index 6860127b..2afbf996 100644 --- a/extensions/libxt_helper.c +++ b/extensions/libxt_helper.c @@ -50,8 +50,12 @@ static int helper_xlate(struct xt_xlate *xl, { const struct xt_helper_info *info = (const void *)params->match->data; - xt_xlate_add(xl, "ct helper%s \\\"%s\\\"", - info->invert ? " !=" : "", info->name); + if (params->escape_quotes) + xt_xlate_add(xl, "ct helper%s \\\"%s\\\"", + info->invert ? " !=" : "", info->name); + else + xt_xlate_add(xl, "ct helper%s \"%s\"", + info->invert ? " !=" : "", info->name); return 1; } diff --git a/include/xtables.h b/include/xtables.h index 73ab8256..e9bc3b7d 100644 --- a/include/xtables.h +++ b/include/xtables.h @@ -211,12 +211,14 @@ struct xt_xlate_mt_params { const void *ip; const struct xt_entry_match *match; int numeric; + bool escape_quotes; }; struct xt_xlate_tg_params { const void *ip; const struct xt_entry_target *target; int numeric; + bool escape_quotes; }; /* Include file for additions: new matches and targets. */ diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c index 678228b2..9044d27c 100644 --- a/iptables/xtables-translate.c +++ b/iptables/xtables-translate.c @@ -53,6 +53,7 @@ int xlate_action(const struct iptables_command_state *cs, bool goto_set, .ip = (const void *)&cs->fw, .target = cs->target->t, .numeric = numeric, + .escape_quotes = true, }; ret = cs->target->xlate(xl, ¶ms); } @@ -79,6 +80,7 @@ int xlate_matches(const struct iptables_command_state *cs, struct xt_xlate *xl) .ip = (const void *)&cs->fw, .match = matchp->match->m, .numeric = numeric, + .escape_quotes = true, }; if (!matchp->match->xlate) |