diff options
| author | Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com> | 2021-04-01 16:47:08 +0300 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2021-04-02 17:04:55 +0200 |
| commit | 18d7535d8bce1a13668e9982f53cbd3e56e8c634 (patch) | |
| tree | bbe3d99f61c457d9a93da236713b68ee02e60b29 /extensions/libxt_conntrack.c | |
| parent | 18e334da7363ba186edb1700056e26ded27ca5ba (diff) | |
extensions: libxt_conntrack: use bitops for status negation
At the moment, status_xlate_print function prints statusmask as comma-separated
sequence of enabled statusmask flags. But if we have inverted conntrack ctstatus
condition then we have to use more complex expression (if more than one flag enabled)
because nft not supports syntax like "ct status != expected,assured".
Examples:
! --ctstatus CONFIRMED,ASSURED
should be translated as
ct status & (assured|confirmed) == 0
! --ctstatus CONFIRMED
can be translated as
ct status & confirmed == 0
See also netfilter/xt_conntrack.c (conntrack_mt() function as a reference).
Reproducer:
$ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstatus expected,assured -j DROP
$ nft list ruleset
...
meta l4proto tcp ip daddr 127.0.0.1 ct status != expected,assured counter packets 0 bytes 0 drop
...
it will fail if we try to load this rule:
$ nft -f nft_test
../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'extensions/libxt_conntrack.c')
| -rw-r--r-- | extensions/libxt_conntrack.c | 30 |
1 files changed, 21 insertions, 9 deletions
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c index 91f9e4aa..7f7b45ee 100644 --- a/extensions/libxt_conntrack.c +++ b/extensions/libxt_conntrack.c @@ -1200,26 +1200,39 @@ static int state_xlate(struct xt_xlate *xl, return 1; } -static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask) +static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask, int inverted) { const char *sep = ""; + int one_flag_set; + + one_flag_set = !(statusmask & (statusmask - 1)); + + if (inverted && !one_flag_set) + xt_xlate_add(xl, "& ("); + else if (inverted) + xt_xlate_add(xl, "& "); if (statusmask & IPS_EXPECTED) { xt_xlate_add(xl, "%s%s", sep, "expected"); - sep = ","; + sep = inverted && !one_flag_set ? "|" : ","; } if (statusmask & IPS_SEEN_REPLY) { xt_xlate_add(xl, "%s%s", sep, "seen-reply"); - sep = ","; + sep = inverted && !one_flag_set ? "|" : ","; } if (statusmask & IPS_ASSURED) { xt_xlate_add(xl, "%s%s", sep, "assured"); - sep = ","; + sep = inverted && !one_flag_set ? "|" : ","; } if (statusmask & IPS_CONFIRMED) { xt_xlate_add(xl, "%s%s", sep, "confirmed"); - sep = ","; + sep = inverted && !one_flag_set ? "|" : ","; } + + if (inverted && !one_flag_set) + xt_xlate_add(xl, ") == 0"); + else if (inverted) + xt_xlate_add(xl, " == 0"); } static void addr_xlate_print(struct xt_xlate *xl, @@ -1277,10 +1290,9 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl, } if (sinfo->match_flags & XT_CONNTRACK_STATUS) { - xt_xlate_add(xl, "%sct status %s", space, - sinfo->invert_flags & XT_CONNTRACK_STATUS ? - "!= " : ""); - status_xlate_print(xl, sinfo->status_mask); + xt_xlate_add(xl, "%sct status ", space); + status_xlate_print(xl, sinfo->status_mask, + sinfo->invert_flags & XT_CONNTRACK_STATUS); space = " "; } |