diff options
| author | Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com> | 2021-04-01 16:47:08 +0300 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2021-04-02 17:04:55 +0200 |
| commit | 18d7535d8bce1a13668e9982f53cbd3e56e8c634 (patch) | |
| tree | bbe3d99f61c457d9a93da236713b68ee02e60b29 /extensions/libxt_conntrack.txlate | |
| parent | 18e334da7363ba186edb1700056e26ded27ca5ba (diff) | |
extensions: libxt_conntrack: use bitops for status negation
At the moment, status_xlate_print function prints statusmask as comma-separated
sequence of enabled statusmask flags. But if we have inverted conntrack ctstatus
condition then we have to use more complex expression (if more than one flag enabled)
because nft not supports syntax like "ct status != expected,assured".
Examples:
! --ctstatus CONFIRMED,ASSURED
should be translated as
ct status & (assured|confirmed) == 0
! --ctstatus CONFIRMED
can be translated as
ct status & confirmed == 0
See also netfilter/xt_conntrack.c (conntrack_mt() function as a reference).
Reproducer:
$ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstatus expected,assured -j DROP
$ nft list ruleset
...
meta l4proto tcp ip daddr 127.0.0.1 ct status != expected,assured counter packets 0 bytes 0 drop
...
it will fail if we try to load this rule:
$ nft -f nft_test
../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'extensions/libxt_conntrack.txlate')
| -rw-r--r-- | extensions/libxt_conntrack.txlate | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/extensions/libxt_conntrack.txlate b/extensions/libxt_conntrack.txlate index 5ab85b17..8cc7c504 100644 --- a/extensions/libxt_conntrack.txlate +++ b/extensions/libxt_conntrack.txlate @@ -35,7 +35,13 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstatus EXPECTED -j ACCEPT nft add rule ip filter INPUT ct status expected counter accept iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT -nft add rule ip filter INPUT ct status != confirmed counter accept +nft add rule ip filter INPUT ct status & confirmed == 0 counter accept + +iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED,ASSURED -j ACCEPT +nft add rule ip filter INPUT ct status & (assured|confirmed) == 0 counter accept + +iptables-translate -t filter -A INPUT -m conntrack --ctstatus CONFIRMED,ASSURED -j ACCEPT +nft add rule ip filter INPUT ct status assured,confirmed counter accept iptables-translate -t filter -A INPUT -m conntrack --ctexpire 3 -j ACCEPT nft add rule ip filter INPUT ct expiration 3 counter accept |