xtables-translate: Fix for iface++

In legacy iptables, only the last plus sign remains special, any
previous ones are taken literally. Therefore xtables-translate must not
replace all of them with asterisk but just the last one.

Fixes: e179e87a1179e ("xtables-translate: Fix for interface name corner-cases")
Signed-off-by: Phil Sutter <phil@nwl.cc>

2 files changed, 7 insertions, 3 deletions

diff --git a/extensions/generic.txlate b/extensions/generic.txlate
index c92d082a..0e256c37 100644
--- a/extensions/generic.txlate
+++ b/extensions/generic.txlate
@@ -23,6 +23,10 @@ nft insert rule bridge filter INPUT ether type 0x800 ether daddr 01:02:03:04:00:
 iptables-translate -A FORWARD -i '*' -o 'eth*foo'
 nft add rule ip filter FORWARD iifname "\*" oifname "eth\*foo" counter
 
+# escape all asterisks but translate only the first plus character
+iptables-translate -A FORWARD -i 'eth*foo*+' -o 'eth++'
+nft add rule ip filter FORWARD iifname "eth\*foo\**" oifname "eth+*" counter
+
 # skip for always matching interface names
 iptables-translate -A FORWARD -i '+'
 nft add rule ip filter FORWARD counter
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index c4e177c0..0f95855b 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -40,9 +40,6 @@ void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname,
 
 	for (i = 0, j = 0; i < ifaclen + 1; i++, j++) {
 		switch (ifname[i]) {
-		case '+':
-			iface[j] = '*';
-			break;
 		case '*':
 			iface[j++] = '\\';
 			/* fall through */
@@ -65,6 +62,9 @@ void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname,
 		invert = false;
 	}
 
+	if (iface[j - 2] == '+')
+		iface[j - 2] = '*';
+
 	xt_xlate_add(xl, "%s %s\"%s\" ", nftmeta, invert ? "!= " : "", iface);
 }