diff options
| author | Phil Sutter <phil@nwl.cc> | 2024-02-01 15:27:03 +0100 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2024-02-02 18:26:14 +0100 |
| commit | c5d75387131e8cb1fc4d22b2e2e264297baf4622 (patch) | |
| tree | af94e429f7c1309aed9afb934ae6a4caee0260e0 /extensions/libipt_ah.c | |
| parent | 9d41421a887f4bc4b3ba10174cf43ee2c6b76956 (diff) | |
extensions: ah: Save/xlate inverted full ranges
While at it, fix xlate output for plain '-m ah' matches: With
ip6tables-translate, one should emit an extdhr exists match since
ip6t_ah.c in kernel also uses ipv6_find_hdr(). With iptables-translate,
a simple 'meta l4proto ah' was missing.
Fixes: bb498c8ba7bb3 ("extensions: libip6t_ah: Fix translation of plain '-m ah'")
Fixes: b9a46ee406165 ("extensions: libipt_ah: Add translation to nft")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'extensions/libipt_ah.c')
| -rw-r--r-- | extensions/libipt_ah.c | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/extensions/libipt_ah.c b/extensions/libipt_ah.c index fec5705c..39e3013d 100644 --- a/extensions/libipt_ah.c +++ b/extensions/libipt_ah.c @@ -39,13 +39,18 @@ static void ah_parse(struct xt_option_call *cb) ahinfo->invflags |= IPT_AH_INV_SPI; } +static bool skip_spi_match(uint32_t min, uint32_t max, bool inv) +{ + return min == 0 && max == UINT32_MAX && !inv; +} + static void print_spis(const char *name, uint32_t min, uint32_t max, int invert) { const char *inv = invert ? "!" : ""; - if (min != 0 || max != 0xFFFFFFFF || invert) { + if (!skip_spi_match(min, max, invert)) { printf("%s", name); if (min == max) { printf(":%s", inv); @@ -75,11 +80,10 @@ static void ah_print(const void *ip, const struct xt_entry_match *match, static void ah_save(const void *ip, const struct xt_entry_match *match) { const struct ipt_ah *ahinfo = (struct ipt_ah *)match->data; + bool inv_spi = ahinfo->invflags & IPT_AH_INV_SPI; - if (!(ahinfo->spis[0] == 0 - && ahinfo->spis[1] == 0xFFFFFFFF)) { - printf("%s --ahspi ", - (ahinfo->invflags & IPT_AH_INV_SPI) ? " !" : ""); + if (!skip_spi_match(ahinfo->spis[0], ahinfo->spis[1], inv_spi)) { + printf("%s --ahspi ", inv_spi ? " !" : ""); if (ahinfo->spis[0] != ahinfo->spis[1]) printf("%u:%u", @@ -96,15 +100,17 @@ static int ah_xlate(struct xt_xlate *xl, const struct xt_xlate_mt_params *params) { const struct ipt_ah *ahinfo = (struct ipt_ah *)params->match->data; + bool inv_spi = ahinfo->invflags & IPT_AH_INV_SPI; - if (!(ahinfo->spis[0] == 0 && ahinfo->spis[1] == 0xFFFFFFFF)) { - xt_xlate_add(xl, "ah spi%s ", - (ahinfo->invflags & IPT_AH_INV_SPI) ? " !=" : ""); + if (!skip_spi_match(ahinfo->spis[0], ahinfo->spis[1], inv_spi)) { + xt_xlate_add(xl, "ah spi%s ", inv_spi ? " !=" : ""); if (ahinfo->spis[0] != ahinfo->spis[1]) xt_xlate_add(xl, "%u-%u", ahinfo->spis[0], ahinfo->spis[1]); else xt_xlate_add(xl, "%u", ahinfo->spis[0]); + } else { + xt_xlate_add(xl, "meta l4proto ah"); } return 1; |