diff options
author | Liping Zhang <liping.zhang@spreadtrum.com> | 2016-10-07 19:08:51 +0800 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-10-14 18:59:35 +0200 |
commit | 129ed57b8e050e8e57deeefc2ed36ec979265d8a (patch) | |
tree | 026db10e09ee8100358a5c6aff9486cf1e36dd97 /extensions/libxt_standard.t | |
parent | 837ca1e34893c67d8e195a4132d1517cb7d4bb11 (diff) |
extensions: libxt_iprange: handle the invert flag properly in translation
If we specify the invert flag, we should put "!=" after "ip saddr/daddr",
so the current translation is wrong:
# iptables-translate -A OUTPUT -m iprange ! --dst-range 1.1.1.1-1.1.1.2
nft add rule ip filter OUTPUT != ip daddr 1.1.1.1-1.1.1.2 counter
# ip6tables-translate -A OUTPUT -m iprange ! --src-range 2003::1-2003::3
nft add rule ip6 filter OUTPUT != ip6 saddr 2003::1-2003::3 counter
Apply this patch:
# iptables-translate -A OUTPUT -m iprange ! --dst-range 1.1.1.1-1.1.1.2
nft add rule ip filter OUTPUT ip daddr != 1.1.1.1-1.1.1.2 counter
# ip6tables-translate -A OUTPUT -m iprange ! --src-range 2003::1-2003::3
nft add rule ip6 filter OUTPUT ip6 saddr != 2003::1-2003::3 counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'extensions/libxt_standard.t')
0 files changed, 0 insertions, 0 deletions