diff options
| author | Phil Sutter <phil@nwl.cc> | 2023-11-17 17:27:56 +0100 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2023-11-29 02:33:04 +0100 |
| commit | 9ccae63974755d845337fa6b6648ed0de32c9064 (patch) | |
| tree | 522119784abfc1c771b00c4719584d20413935b8 | |
| parent | fe70364b361194f5271661eb15207b10572d3fba (diff) | |
nft: Leave interface masks alone when parsing from kernel
The mask is entirely unused by nft-variants in general and legacy ones
when printing. It is relevant only when inserting a legacy rule into
kernel as it doesn't detect the '+'-suffix.
Signed-off-by: Phil Sutter <phil@nwl.cc>
| -rw-r--r-- | iptables/nft-ruleparse-arp.c | 5 | ||||
| -rw-r--r-- | iptables/nft-ruleparse-bridge.c | 3 | ||||
| -rw-r--r-- | iptables/nft-ruleparse-ipv4.c | 5 | ||||
| -rw-r--r-- | iptables/nft-ruleparse-ipv6.c | 3 | ||||
| -rw-r--r-- | iptables/nft-ruleparse.c | 33 | ||||
| -rw-r--r-- | iptables/nft-ruleparse.h | 3 |
6 files changed, 16 insertions, 36 deletions
diff --git a/iptables/nft-ruleparse-arp.c b/iptables/nft-ruleparse-arp.c index cd74747e..b0671cb0 100644 --- a/iptables/nft-ruleparse-arp.c +++ b/iptables/nft-ruleparse-arp.c @@ -34,9 +34,8 @@ static void nft_arp_parse_meta(struct nft_xt_ctx *ctx, struct arpt_entry *fw = &cs->arp; uint8_t flags = 0; - if (parse_meta(ctx, e, reg->meta_dreg.key, fw->arp.iniface, fw->arp.iniface_mask, - fw->arp.outiface, fw->arp.outiface_mask, - &flags) == 0) { + if (parse_meta(ctx, e, reg->meta_dreg.key, fw->arp.iniface, + fw->arp.outiface, &flags) == 0) { fw->arp.invflags |= flags; return; } diff --git a/iptables/nft-ruleparse-bridge.c b/iptables/nft-ruleparse-bridge.c index c6cc9af5..aee08b13 100644 --- a/iptables/nft-ruleparse-bridge.c +++ b/iptables/nft-ruleparse-bridge.c @@ -43,7 +43,8 @@ static void nft_bridge_parse_meta(struct nft_xt_ctx *ctx, return; } - if (parse_meta(ctx, e, reg->meta_dreg.key, iifname, NULL, oifname, NULL, &invflags) < 0) { + if (parse_meta(ctx, e, reg->meta_dreg.key, + iifname, oifname, &invflags) < 0) { ctx->errmsg = "unknown meta key"; return; } diff --git a/iptables/nft-ruleparse-ipv4.c b/iptables/nft-ruleparse-ipv4.c index 491cbf42..fe65b33c 100644 --- a/iptables/nft-ruleparse-ipv4.c +++ b/iptables/nft-ruleparse-ipv4.c @@ -41,9 +41,8 @@ static void nft_ipv4_parse_meta(struct nft_xt_ctx *ctx, break; } - if (parse_meta(ctx, e, reg->meta_dreg.key, cs->fw.ip.iniface, cs->fw.ip.iniface_mask, - cs->fw.ip.outiface, cs->fw.ip.outiface_mask, - &cs->fw.ip.invflags) == 0) + if (parse_meta(ctx, e, reg->meta_dreg.key, cs->fw.ip.iniface, + cs->fw.ip.outiface, &cs->fw.ip.invflags) == 0) return; ctx->errmsg = "unknown ipv4 meta key"; diff --git a/iptables/nft-ruleparse-ipv6.c b/iptables/nft-ruleparse-ipv6.c index 7581b863..29b08580 100644 --- a/iptables/nft-ruleparse-ipv6.c +++ b/iptables/nft-ruleparse-ipv6.c @@ -42,8 +42,7 @@ static void nft_ipv6_parse_meta(struct nft_xt_ctx *ctx, } if (parse_meta(ctx, e, reg->meta_dreg.key, cs->fw6.ipv6.iniface, - cs->fw6.ipv6.iniface_mask, cs->fw6.ipv6.outiface, - cs->fw6.ipv6.outiface_mask, &cs->fw6.ipv6.invflags) == 0) + cs->fw6.ipv6.outiface, &cs->fw6.ipv6.invflags) == 0) return; ctx->errmsg = "unknown ipv6 meta key"; diff --git a/iptables/nft-ruleparse.c b/iptables/nft-ruleparse.c index c8322f93..0bbdf44f 100644 --- a/iptables/nft-ruleparse.c +++ b/iptables/nft-ruleparse.c @@ -983,18 +983,14 @@ bool nft_rule_to_iptables_command_state(struct nft_handle *h, return ret; } -static void parse_ifname(const char *name, unsigned int len, - char *dst, unsigned char *mask) +static void parse_ifname(const char *name, unsigned int len, char *dst) { if (len == 0) return; memcpy(dst, name, len); - if (name[len - 1] == '\0') { - if (mask) - memset(mask, 0xff, strlen(name) + 1); + if (name[len - 1] == '\0') return; - } if (len >= IFNAMSIZ) return; @@ -1004,12 +1000,9 @@ static void parse_ifname(const char *name, unsigned int len, if (len >= IFNAMSIZ) return; dst[len++] = 0; - if (mask) - memset(mask, 0xff, len - 2); } -static void parse_invalid_iface(char *iface, unsigned char *mask, - uint8_t *invflags, uint8_t invbit) +static void parse_invalid_iface(char *iface, uint8_t *invflags, uint8_t invbit) { if (*invflags & invbit || strcmp(iface, "INVAL/D")) return; @@ -1018,9 +1011,6 @@ static void parse_invalid_iface(char *iface, unsigned char *mask, *invflags |= invbit; iface[0] = '+'; iface[1] = '\0'; - mask[0] = 0xff; - mask[1] = 0xff; - memset(mask + 2, 0, IFNAMSIZ - 2); } static uint32_t get_meta_mask(struct nft_xt_ctx *ctx, enum nft_registers sreg) @@ -1071,8 +1061,7 @@ static int parse_meta_pkttype(struct nft_xt_ctx *ctx, struct nftnl_expr *e) } int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key, - char *iniface, unsigned char *iniface_mask, - char *outiface, unsigned char *outiface_mask, uint8_t *invflags) + char *iniface, char *outiface, uint8_t *invflags) { uint32_t value; const void *ifname; @@ -1085,8 +1074,6 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key, *invflags |= IPT_INV_VIA_IN; if_indextoname(value, iniface); - - memset(iniface_mask, 0xff, strlen(iniface)+1); break; case NFT_META_OIF: value = nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_DATA); @@ -1094,8 +1081,6 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key, *invflags |= IPT_INV_VIA_OUT; if_indextoname(value, outiface); - - memset(outiface_mask, 0xff, strlen(outiface)+1); break; case NFT_META_BRI_IIFNAME: case NFT_META_IIFNAME: @@ -1103,9 +1088,8 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key, if (nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP) == NFT_CMP_NEQ) *invflags |= IPT_INV_VIA_IN; - parse_ifname(ifname, len, iniface, iniface_mask); - parse_invalid_iface(iniface, iniface_mask, - invflags, IPT_INV_VIA_IN); + parse_ifname(ifname, len, iniface); + parse_invalid_iface(iniface, invflags, IPT_INV_VIA_IN); break; case NFT_META_BRI_OIFNAME: case NFT_META_OIFNAME: @@ -1113,9 +1097,8 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key, if (nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP) == NFT_CMP_NEQ) *invflags |= IPT_INV_VIA_OUT; - parse_ifname(ifname, len, outiface, outiface_mask); - parse_invalid_iface(outiface, outiface_mask, - invflags, IPT_INV_VIA_OUT); + parse_ifname(ifname, len, outiface); + parse_invalid_iface(outiface, invflags, IPT_INV_VIA_OUT); break; case NFT_META_MARK: parse_meta_mark(ctx, e); diff --git a/iptables/nft-ruleparse.h b/iptables/nft-ruleparse.h index 25ce05d2..62c9160d 100644 --- a/iptables/nft-ruleparse.h +++ b/iptables/nft-ruleparse.h @@ -128,8 +128,7 @@ bool nft_rule_to_iptables_command_state(struct nft_handle *h, #define max(x, y) ((x) > (y) ? (x) : (y)) int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key, - char *iniface, unsigned char *iniface_mask, char *outiface, - unsigned char *outiface_mask, uint8_t *invflags); + char *iniface, char *outiface, uint8_t *invflags); int nft_parse_hl(struct nft_xt_ctx *ctx, struct nftnl_expr *e, struct iptables_command_state *cs); |