diff options
| author | Phil Sutter <phil@nwl.cc> | 2023-12-21 13:24:09 +0100 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2024-01-10 23:33:24 +0100 |
| commit | b1ae6a45c9f38a60a13d9ecb88dcbeb12e5d13e0 (patch) | |
| tree | 266b5b45b82dc62ad087562088c87e96bd74b557 /extensions | |
| parent | f4721951baca81b7d74c5551d0f5c599dbb89bf1 (diff) | |
ebtables: Default to extrapositioned negations
ebtables-nft has always supported both intra- and extrapositioned
negations but defaulted to intrapositioned when printing/saving rules.
With commit 58d364c7120b5 ("ebtables: Use do_parse() from xshared")
though, it started to warn about intrapositioned negations. So change
the default to avoid mandatory warnings when e.g. loading previously
dumped rulesets.
Also adjust test cases, help texts and ebtables-nft.8 accordingly.
Cc: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'extensions')
| -rw-r--r-- | extensions/libebt_802_3.c | 10 | ||||
| -rw-r--r-- | extensions/libebt_802_3.t | 6 | ||||
| -rw-r--r-- | extensions/libebt_among.c | 21 | ||||
| -rw-r--r-- | extensions/libebt_among.t | 12 | ||||
| -rw-r--r-- | extensions/libebt_arp.c | 39 | ||||
| -rw-r--r-- | extensions/libebt_arp.t | 22 | ||||
| -rw-r--r-- | extensions/libebt_ip.c | 37 | ||||
| -rw-r--r-- | extensions/libebt_ip.t | 12 | ||||
| -rw-r--r-- | extensions/libebt_ip.txlate | 4 | ||||
| -rw-r--r-- | extensions/libebt_ip6.c | 29 | ||||
| -rw-r--r-- | extensions/libebt_ip6.t | 16 | ||||
| -rw-r--r-- | extensions/libebt_ip6.txlate | 2 | ||||
| -rw-r--r-- | extensions/libebt_mark_m.c | 4 | ||||
| -rw-r--r-- | extensions/libebt_mark_m.t | 4 | ||||
| -rw-r--r-- | extensions/libebt_mark_m.txlate | 2 | ||||
| -rw-r--r-- | extensions/libebt_pkttype.c | 4 | ||||
| -rw-r--r-- | extensions/libebt_pkttype.t | 14 | ||||
| -rw-r--r-- | extensions/libebt_standard.t | 3 | ||||
| -rw-r--r-- | extensions/libebt_stp.c | 29 | ||||
| -rw-r--r-- | extensions/libebt_stp.t | 28 | ||||
| -rw-r--r-- | extensions/libebt_vlan.c | 19 | ||||
| -rw-r--r-- | extensions/libebt_vlan.t | 10 | ||||
| -rw-r--r-- | extensions/libebt_vlan.txlate | 2 |
23 files changed, 165 insertions, 164 deletions
diff --git a/extensions/libebt_802_3.c b/extensions/libebt_802_3.c index 26a7725c..489185e9 100644 --- a/extensions/libebt_802_3.c +++ b/extensions/libebt_802_3.c @@ -33,9 +33,9 @@ static void br802_3_print_help(void) { printf( "802_3 options:\n" -"--802_3-sap [!] protocol : 802.3 DSAP/SSAP- 1 byte value (hex)\n" +"[!] --802_3-sap protocol : 802.3 DSAP/SSAP- 1 byte value (hex)\n" " DSAP and SSAP are always the same. One SAP applies to both fields\n" -"--802_3-type [!] protocol : 802.3 SNAP Type- 2 byte value (hex)\n" +"[!] --802_3-type protocol : 802.3 SNAP Type- 2 byte value (hex)\n" " Type implies SAP value 0xaa\n"); } @@ -55,16 +55,14 @@ static void br802_3_print(const void *ip, const struct xt_entry_match *match, struct ebt_802_3_info *info = (struct ebt_802_3_info *)match->data; if (info->bitmask & EBT_802_3_SAP) { - printf("--802_3-sap "); if (info->invflags & EBT_802_3_SAP) printf("! "); - printf("0x%.2x ", info->sap); + printf("--802_3-sap 0x%.2x ", info->sap); } if (info->bitmask & EBT_802_3_TYPE) { - printf("--802_3-type "); if (info->invflags & EBT_802_3_TYPE) printf("! "); - printf("0x%.4x ", ntohs(info->type)); + printf("--802_3-type 0x%.4x ", ntohs(info->type)); } } diff --git a/extensions/libebt_802_3.t b/extensions/libebt_802_3.t index 2e4945b3..d1e19795 100644 --- a/extensions/libebt_802_3.t +++ b/extensions/libebt_802_3.t @@ -1,7 +1,7 @@ :INPUT,FORWARD,OUTPUT ---802_3-sap ! 0x0a -j CONTINUE;=;FAIL +! --802_3-sap 0x0a -j CONTINUE;=;FAIL --802_3-type 0x000a -j RETURN;=;FAIL -p Length --802_3-sap 0x0a -j CONTINUE;=;OK --p Length --802_3-sap ! 0x0a -j CONTINUE;=;OK +-p Length ! --802_3-sap 0x0a -j CONTINUE;=;OK -p Length --802_3-type 0x000a -j RETURN;=;OK --p Length --802_3-type ! 0x000a -j RETURN;=;OK +-p Length ! --802_3-type 0x000a -j RETURN;=;OK diff --git a/extensions/libebt_among.c b/extensions/libebt_among.c index a80fb804..85f9bee4 100644 --- a/extensions/libebt_among.c +++ b/extensions/libebt_among.c @@ -43,10 +43,10 @@ static void bramong_print_help(void) { printf( "`among' options:\n" -"--among-dst [!] list : matches if ether dst is in list\n" -"--among-src [!] list : matches if ether src is in list\n" -"--among-dst-file [!] file : obtain dst list from file\n" -"--among-src-file [!] file : obtain src list from file\n" +"[!] --among-dst list : matches if ether dst is in list\n" +"[!] --among-src list : matches if ether src is in list\n" +"[!] --among-dst-file file : obtain dst list from file\n" +"[!] --among-src-file file : obtain src list from file\n" "list has form:\n" " xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip],yy:yy:yy:yy:yy:yy[=ip.ip.ip.ip]" ",...,zz:zz:zz:zz:zz:zz[=ip.ip.ip.ip][,]\n" @@ -188,10 +188,10 @@ static int bramong_parse(int c, char **argv, int invert, } static void __bramong_print(struct nft_among_pair *pairs, - int cnt, bool inv, bool have_ip) + int cnt, bool have_ip) { - const char *isep = inv ? "! " : ""; char abuf[INET_ADDRSTRLEN]; + const char *isep = ""; int i; for (i = 0; i < cnt; i++) { @@ -212,14 +212,13 @@ static void bramong_print(const void *ip, const struct xt_entry_match *match, struct nft_among_data *data = (struct nft_among_data *)match->data; if (data->src.cnt) { - printf("--among-src "); - __bramong_print(data->pairs, - data->src.cnt, data->src.inv, data->src.ip); + printf("%s--among-src ", data->src.inv ? "! " : ""); + __bramong_print(data->pairs, data->src.cnt, data->src.ip); } if (data->dst.cnt) { - printf("--among-dst "); + printf("%s--among-dst ", data->dst.inv ? "! " : ""); __bramong_print(data->pairs + data->src.cnt, - data->dst.cnt, data->dst.inv, data->dst.ip); + data->dst.cnt, data->dst.ip); } } diff --git a/extensions/libebt_among.t b/extensions/libebt_among.t index a02206f3..aef07acf 100644 --- a/extensions/libebt_among.t +++ b/extensions/libebt_among.t @@ -1,15 +1,15 @@ :INPUT,FORWARD,OUTPUT --among-dst de:ad:0:be:ee:ff,c0:ff:ee:0:ba:be;--among-dst c0:ff:ee:0:ba:be,de:ad:0:be:ee:ff;OK ---among-dst ! c0:ff:ee:0:ba:be,de:ad:0:be:ee:ff;=;OK +! --among-dst c0:ff:ee:0:ba:be,de:ad:0:be:ee:ff;=;OK --among-src be:ef:0:c0:ff:ee,c0:ff:ee:0:ba:be,de:ad:0:be:ee:ff;=;OK --among-src de:ad:0:be:ee:ff=10.0.0.1,c0:ff:ee:0:ba:be=192.168.1.1;--among-src c0:ff:ee:0:ba:be=192.168.1.1,de:ad:0:be:ee:ff=10.0.0.1;OK ---among-src ! c0:ff:ee:0:ba:be=192.168.1.1,de:ad:0:be:ee:ff=10.0.0.1;=;OK +! --among-src c0:ff:ee:0:ba:be=192.168.1.1,de:ad:0:be:ee:ff=10.0.0.1;=;OK --among-src de:ad:0:be:ee:ff --among-dst c0:ff:ee:0:ba:be;=;OK --among-src de:ad:0:be:ee:ff=10.0.0.1 --among-dst c0:ff:ee:0:ba:be=192.168.1.1;=;OK ---among-src ! de:ad:0:be:ee:ff --among-dst c0:ff:ee:0:ba:be;=;OK ---among-src de:ad:0:be:ee:ff=10.0.0.1 --among-dst ! c0:ff:ee:0:ba:be=192.168.1.1;=;OK ---among-src ! de:ad:0:be:ee:ff --among-dst c0:ff:ee:0:ba:be=192.168.1.1;=;OK ---among-src de:ad:0:be:ee:ff=10.0.0.1 --among-dst ! c0:ff:ee:0:ba:be=192.168.1.1;=;OK +! --among-src de:ad:0:be:ee:ff --among-dst c0:ff:ee:0:ba:be;=;OK +--among-src de:ad:0:be:ee:ff=10.0.0.1 ! --among-dst c0:ff:ee:0:ba:be=192.168.1.1;=;OK +! --among-src de:ad:0:be:ee:ff --among-dst c0:ff:ee:0:ba:be=192.168.1.1;=;OK +--among-src de:ad:0:be:ee:ff=10.0.0.1 ! --among-dst c0:ff:ee:0:ba:be=192.168.1.1;=;OK --among-src;=;FAIL --among-src 00:11=10.0.0.1;=;FAIL --among-src de:ad:0:be:ee:ff=10.256.0.1;=;FAIL diff --git a/extensions/libebt_arp.c b/extensions/libebt_arp.c index b6d691d8..50ce32be 100644 --- a/extensions/libebt_arp.c +++ b/extensions/libebt_arp.c @@ -66,13 +66,13 @@ static void brarp_print_help(void) printf( "arp options:\n" -"--arp-opcode [!] opcode : ARP opcode (integer or string)\n" -"--arp-htype [!] type : ARP hardware type (integer or string)\n" -"--arp-ptype [!] type : ARP protocol type (hexadecimal or string)\n" -"--arp-ip-src [!] address[/mask]: ARP IP source specification\n" -"--arp-ip-dst [!] address[/mask]: ARP IP target specification\n" -"--arp-mac-src [!] address[/mask]: ARP MAC source specification\n" -"--arp-mac-dst [!] address[/mask]: ARP MAC target specification\n" +"[!] --arp-opcode opcode : ARP opcode (integer or string)\n" +"[!] --arp-htype type : ARP hardware type (integer or string)\n" +"[!] --arp-ptype type : ARP protocol type (hexadecimal or string)\n" +"[!] --arp-ip-src address[/mask]: ARP IP source specification\n" +"[!] --arp-ip-dst address[/mask]: ARP IP target specification\n" +"[!] --arp-mac-src address[/mask]: ARP MAC source specification\n" +"[!] --arp-mac-dst address[/mask]: ARP MAC target specification\n" "[!] --arp-gratuitous : ARP gratuitous packet\n" " opcode strings: \n"); for (i = 0; i < ARRAY_SIZE(opcodes); i++) @@ -158,51 +158,50 @@ static void brarp_print(const void *ip, const struct xt_entry_match *match, int if (arpinfo->bitmask & EBT_ARP_OPCODE) { int opcode = ntohs(arpinfo->opcode); - printf("--arp-op "); + if (arpinfo->invflags & EBT_ARP_OPCODE) printf("! "); + printf("--arp-op "); if (opcode > 0 && opcode <= ARRAY_SIZE(opcodes)) printf("%s ", opcodes[opcode - 1]); else printf("%d ", opcode); } if (arpinfo->bitmask & EBT_ARP_HTYPE) { - printf("--arp-htype "); if (arpinfo->invflags & EBT_ARP_HTYPE) printf("! "); - printf("%d ", ntohs(arpinfo->htype)); + printf("--arp-htype %d ", ntohs(arpinfo->htype)); } if (arpinfo->bitmask & EBT_ARP_PTYPE) { - printf("--arp-ptype "); if (arpinfo->invflags & EBT_ARP_PTYPE) printf("! "); - printf("0x%x ", ntohs(arpinfo->ptype)); + printf("--arp-ptype 0x%x ", ntohs(arpinfo->ptype)); } if (arpinfo->bitmask & EBT_ARP_SRC_IP) { - printf("--arp-ip-src "); if (arpinfo->invflags & EBT_ARP_SRC_IP) printf("! "); - printf("%s%s ", xtables_ipaddr_to_numeric((const struct in_addr*) &arpinfo->saddr), - xtables_ipmask_to_numeric((const struct in_addr*)&arpinfo->smsk)); + printf("--arp-ip-src %s%s ", + xtables_ipaddr_to_numeric((void *)&arpinfo->saddr), + xtables_ipmask_to_numeric((void *)&arpinfo->smsk)); } if (arpinfo->bitmask & EBT_ARP_DST_IP) { - printf("--arp-ip-dst "); if (arpinfo->invflags & EBT_ARP_DST_IP) printf("! "); - printf("%s%s ", xtables_ipaddr_to_numeric((const struct in_addr*) &arpinfo->daddr), - xtables_ipmask_to_numeric((const struct in_addr*)&arpinfo->dmsk)); + printf("--arp-ip-dst %s%s ", + xtables_ipaddr_to_numeric((void *)&arpinfo->daddr), + xtables_ipmask_to_numeric((void *)&arpinfo->dmsk)); } if (arpinfo->bitmask & EBT_ARP_SRC_MAC) { - printf("--arp-mac-src "); if (arpinfo->invflags & EBT_ARP_SRC_MAC) printf("! "); + printf("--arp-mac-src "); xtables_print_mac_and_mask(arpinfo->smaddr, arpinfo->smmsk); printf(" "); } if (arpinfo->bitmask & EBT_ARP_DST_MAC) { - printf("--arp-mac-dst "); if (arpinfo->invflags & EBT_ARP_DST_MAC) printf("! "); + printf("--arp-mac-dst "); xtables_print_mac_and_mask(arpinfo->dmaddr, arpinfo->dmmsk); printf(" "); } diff --git a/extensions/libebt_arp.t b/extensions/libebt_arp.t index c8e874e8..ea006f25 100644 --- a/extensions/libebt_arp.t +++ b/extensions/libebt_arp.t @@ -1,22 +1,22 @@ :INPUT,FORWARD,OUTPUT -p ARP --arp-op Request;=;OK --p ARP --arp-op ! Request;=;OK +-p ARP ! --arp-op Request;=;OK -p ARP --arp-htype Ethernet;-p ARP --arp-htype 1;OK -p ARP --arp-htype 1;=;OK --p ARP --arp-htype ! 1;=;OK +-p ARP ! --arp-htype 1;=;OK -p ARP --arp-ptype 0x2;=;OK --p ARP --arp-ptype ! 0x2;=;OK +-p ARP ! --arp-ptype 0x2;=;OK -p ARP --arp-ip-src 1.2.3.4;=;OK --p ARP ! --arp-ip-dst 1.2.3.4;-p ARP --arp-ip-dst ! 1.2.3.4 -j CONTINUE;OK --p ARP --arp-ip-src ! 0.0.0.0;=;OK --p ARP --arp-ip-dst ! 0.0.0.0/8;=;OK --p ARP --arp-ip-src ! 1.2.3.4/32;-p ARP --arp-ip-src ! 1.2.3.4;OK --p ARP --arp-ip-src ! 1.2.3.4/255.255.255.0;-p ARP --arp-ip-src ! 1.2.3.0/24;OK --p ARP --arp-ip-src ! 1.2.3.4/255.0.255.255;-p ARP --arp-ip-src ! 1.0.3.4/255.0.255.255;OK +-p ARP --arp-ip-dst ! 1.2.3.4;-p ARP ! --arp-ip-dst 1.2.3.4 -j CONTINUE;OK +-p ARP ! --arp-ip-src 0.0.0.0;=;OK +-p ARP ! --arp-ip-dst 0.0.0.0/8;=;OK +-p ARP ! --arp-ip-src 1.2.3.4/32;-p ARP ! --arp-ip-src 1.2.3.4;OK +-p ARP ! --arp-ip-src 1.2.3.4/255.255.255.0;-p ARP ! --arp-ip-src 1.2.3.0/24;OK +-p ARP ! --arp-ip-src 1.2.3.4/255.0.255.255;-p ARP ! --arp-ip-src 1.0.3.4/255.0.255.255;OK -p ARP --arp-mac-src 00:de:ad:be:ef:00;=;OK --p ARP --arp-mac-src ! 00:de:ad:be:ef:00;=;OK +-p ARP ! --arp-mac-src 00:de:ad:be:ef:00;=;OK -p ARP --arp-mac-dst de:ad:be:ef:00:00/ff:ff:ff:ff:00:00;=;OK --p ARP --arp-mac-dst ! de:ad:be:ef:00:00/ff:ff:ff:ff:00:00;=;OK +-p ARP ! --arp-mac-dst de:ad:be:ef:00:00/ff:ff:ff:ff:00:00;=;OK -p ARP --arp-gratuitous;=;OK -p ARP ! --arp-gratuitous;=;OK --arp-htype 1;=;FAIL diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c index 350dbcb6..3ed852ad 100644 --- a/extensions/libebt_ip.c +++ b/extensions/libebt_ip.c @@ -79,14 +79,14 @@ static void brip_print_help(void) { printf( "ip options:\n" -"--ip-src [!] address[/mask]: ip source specification\n" -"--ip-dst [!] address[/mask]: ip destination specification\n" -"--ip-tos [!] tos : ip tos specification\n" -"--ip-proto [!] protocol : ip protocol specification\n" -"--ip-sport [!] port[:port] : tcp/udp source port or port range\n" -"--ip-dport [!] port[:port] : tcp/udp destination port or port range\n" -"--ip-icmp-type [!] type[[:type]/code[:code]] : icmp type/code or type/code range\n" -"--ip-igmp-type [!] type[:type] : igmp type or type range\n"); +"[!] --ip-src address[/mask]: ip source specification\n" +"[!] --ip-dst address[/mask]: ip destination specification\n" +"[!] --ip-tos tos : ip tos specification\n" +"[!] --ip-proto protocol : ip protocol specification\n" +"[!] --ip-sport port[:port] : tcp/udp source port or port range\n" +"[!] --ip-dport port[:port] : tcp/udp destination port or port range\n" +"[!] --ip-icmp-type type[[:type]/code[:code]] : icmp type/code or type/code range\n" +"[!] --ip-igmp-type type[:type] : igmp type or type range\n"); printf("\nValid ICMP Types:\n"); xt_print_icmp_types(icmp_codes, ARRAY_SIZE(icmp_codes)); @@ -182,35 +182,34 @@ static void brip_print(const void *ip, const struct xt_entry_match *match, struct in_addr *addrp, *maskp; if (info->bitmask & EBT_IP_SOURCE) { - printf("--ip-src "); if (info->invflags & EBT_IP_SOURCE) printf("! "); addrp = (struct in_addr *)&info->saddr; maskp = (struct in_addr *)&info->smsk; - printf("%s%s ", xtables_ipaddr_to_numeric(addrp), + printf("--ip-src %s%s ", + xtables_ipaddr_to_numeric(addrp), xtables_ipmask_to_numeric(maskp)); } if (info->bitmask & EBT_IP_DEST) { - printf("--ip-dst "); if (info->invflags & EBT_IP_DEST) printf("! "); addrp = (struct in_addr *)&info->daddr; maskp = (struct in_addr *)&info->dmsk; - printf("%s%s ", xtables_ipaddr_to_numeric(addrp), + printf("--ip-dst %s%s ", + xtables_ipaddr_to_numeric(addrp), xtables_ipmask_to_numeric(maskp)); } if (info->bitmask & EBT_IP_TOS) { - printf("--ip-tos "); if (info->invflags & EBT_IP_TOS) printf("! "); - printf("0x%02X ", info->tos); + printf("--ip-tos 0x%02X ", info->tos); } if (info->bitmask & EBT_IP_PROTO) { struct protoent *pe; - printf("--ip-proto "); if (info->invflags & EBT_IP_PROTO) printf("! "); + printf("--ip-proto "); pe = getprotobynumber(info->protocol); if (pe == NULL) { printf("%d ", info->protocol); @@ -219,28 +218,28 @@ static void brip_print(const void *ip, const struct xt_entry_match *match, } } if (info->bitmask & EBT_IP_SPORT) { - printf("--ip-sport "); if (info->invflags & EBT_IP_SPORT) printf("! "); + printf("--ip-sport "); print_port_range(info->sport); } if (info->bitmask & EBT_IP_DPORT) { - printf("--ip-dport "); if (info->invflags & EBT_IP_DPORT) printf("! "); + printf("--ip-dport "); print_port_range(info->dport); } if (info->bitmask & EBT_IP_ICMP) { - printf("--ip-icmp-type "); if (info->invflags & EBT_IP_ICMP) printf("! "); + printf("--ip-icmp-type "); ebt_print_icmp_type(icmp_codes, ARRAY_SIZE(icmp_codes), info->icmp_type, info->icmp_code); } if (info->bitmask & EBT_IP_IGMP) { - printf("--ip-igmp-type "); if (info->invflags & EBT_IP_IGMP) printf("! "); + printf("--ip-igmp-type "); ebt_print_icmp_type(igmp_types, ARRAY_SIZE(igmp_types), info->igmp_type, NULL); } diff --git a/extensions/libebt_ip.t b/extensions/libebt_ip.t index f6012df4..cfe4f54d 100644 --- a/extensions/libebt_ip.t +++ b/extensions/libebt_ip.t @@ -1,16 +1,16 @@ :INPUT,FORWARD,OUTPUT --p ip --ip-src ! 192.168.0.0/24 -j ACCEPT;-p IPv4 --ip-src ! 192.168.0.0/24 -j ACCEPT;OK +-p ip ! --ip-src 192.168.0.0/24 -j ACCEPT;-p IPv4 ! --ip-src 192.168.0.0/24 -j ACCEPT;OK -p IPv4 --ip-dst 10.0.0.1;=;OK --p IPv4 --ip-dst ! 10.0.0.1;=;OK +-p IPv4 ! --ip-dst 10.0.0.1;=;OK -p IPv4 --ip-tos 0xFF;=;OK --p IPv4 --ip-tos ! 0xFF;=;OK +-p IPv4 ! --ip-tos 0xFF;=;OK -p IPv4 --ip-proto tcp --ip-dport 22;=;OK -p IPv4 --ip-proto udp --ip-sport 1024:65535;=;OK -p IPv4 --ip-proto 253;=;OK --p IPv4 --ip-proto ! 253;=;OK +-p IPv4 ! --ip-proto 253;=;OK -p IPv4 --ip-proto icmp --ip-icmp-type echo-request;=;OK -p IPv4 --ip-proto icmp --ip-icmp-type 1/1;=;OK --p ip --ip-protocol icmp --ip-icmp-type ! 1:10;-p IPv4 --ip-proto icmp --ip-icmp-type ! 1:10/0:255 -j CONTINUE;OK +-p ip --ip-protocol icmp ! --ip-icmp-type 1:10;-p IPv4 --ip-proto icmp ! --ip-icmp-type 1:10/0:255 -j CONTINUE;OK --ip-proto icmp --ip-icmp-type 1/1;=;FAIL ! -p ip --ip-proto icmp --ip-icmp-type 1/1;=;FAIL ! -p ip --ip-proto tcp --ip-sport 22 --ip-icmp-type echo-reply;;FAIL @@ -18,4 +18,4 @@ ! -p ip --ip-proto tcp --ip-dport 22 --ip-icmp-type echo-reply;;FAIL ! -p ip --ip-proto tcp --ip-dport 22 --ip-igmp-type membership-query;;FAIL ! -p ip --ip-proto icmp --ip-icmp-type echo-reply --ip-igmp-type membership-query;;FAIL --p IPv4 --ip-proto icmp --ip-icmp-type ! echo-reply;=;OK +-p IPv4 --ip-proto icmp ! --ip-icmp-type echo-reply;=;OK diff --git a/extensions/libebt_ip.txlate b/extensions/libebt_ip.txlate index 44ce9276..712ba3d1 100644 --- a/extensions/libebt_ip.txlate +++ b/extensions/libebt_ip.txlate @@ -1,4 +1,4 @@ -ebtables-translate -A FORWARD -p ip --ip-src ! 192.168.0.0/24 -j ACCEPT +ebtables-translate -A FORWARD -p ip ! --ip-src 192.168.0.0/24 -j ACCEPT nft 'add rule bridge filter FORWARD ip saddr != 192.168.0.0/24 counter accept' ebtables-translate -I FORWARD -p ip --ip-dst 10.0.0.1 @@ -22,5 +22,5 @@ nft 'add rule bridge filter FORWARD icmp type 8 counter' ebtables-translate -A FORWARD -p ip --ip-proto icmp --ip-icmp-type 1/1 nft 'add rule bridge filter FORWARD icmp type 1 icmp code 1 counter' -ebtables-translate -A FORWARD -p ip --ip-protocol icmp --ip-icmp-type ! 1:10 +ebtables-translate -A FORWARD -p ip --ip-protocol icmp ! --ip-icmp-type 1:10 nft 'add rule bridge filter FORWARD icmp type != 1-10 counter' diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c index 0d7403e7..247a99eb 100644 --- a/extensions/libebt_ip6.c +++ b/extensions/libebt_ip6.c @@ -116,13 +116,13 @@ static void brip6_print_help(void) { printf( "ip6 options:\n" -"--ip6-src [!] address[/mask]: ipv6 source specification\n" -"--ip6-dst [!] address[/mask]: ipv6 destination specification\n" -"--ip6-tclass [!] tclass : ipv6 traffic class specification\n" -"--ip6-proto [!] protocol : ipv6 protocol specification\n" -"--ip6-sport [!] port[:port] : tcp/udp source port or port range\n" -"--ip6-dport [!] port[:port] : tcp/udp destination port or port range\n" -"--ip6-icmp-type [!] type[[:type]/code[:code]] : ipv6-icmp type/code or type/code range\n"); +"[!] --ip6-src address[/mask]: ipv6 source specification\n" +"[!] --ip6-dst address[/mask]: ipv6 destination specification\n" +"[!] --ip6-tclass tclass : ipv6 traffic class specification\n" +"[!] --ip6-proto protocol : ipv6 protocol specification\n" +"[!] --ip6-sport port[:port] : tcp/udp source port or port range\n" +"[!] --ip6-dport port[:port] : tcp/udp destination port or port range\n" +"[!] --ip6-icmp-type type[[:type]/code[:code]] : ipv6-icmp type/code or type/code range\n"); printf("Valid ICMPv6 Types:"); xt_print_icmp_types(icmpv6_codes, ARRAY_SIZE(icmpv6_codes)); } @@ -173,31 +173,30 @@ static void brip6_print(const void *ip, const struct xt_entry_match *match, struct ebt_ip6_info *ipinfo = (struct ebt_ip6_info *)match->data; if (ipinfo->bitmask & EBT_IP6_SOURCE) { - printf("--ip6-src "); if (ipinfo->invflags & EBT_IP6_SOURCE) printf("! "); + printf("--ip6-src "); printf("%s", xtables_ip6addr_to_numeric(&ipinfo->saddr)); printf("%s ", xtables_ip6mask_to_numeric(&ipinfo->smsk)); } if (ipinfo->bitmask & EBT_IP6_DEST) { - printf("--ip6-dst "); if (ipinfo->invflags & EBT_IP6_DEST) printf("! "); + printf("--ip6-dst "); printf("%s", xtables_ip6addr_to_numeric(&ipinfo->daddr)); printf("%s ", xtables_ip6mask_to_numeric(&ipinfo->dmsk)); } if (ipinfo->bitmask & EBT_IP6_TCLASS) { - printf("--ip6-tclass "); if (ipinfo->invflags & EBT_IP6_TCLASS) printf("! "); - printf("0x%02X ", ipinfo->tclass); + printf("--ip6-tclass 0x%02X ", ipinfo->tclass); } if (ipinfo->bitmask & EBT_IP6_PROTO) { struct protoent *pe; - printf("--ip6-proto "); if (ipinfo->invflags & EBT_IP6_PROTO) printf("! "); + printf("--ip6-proto "); pe = getprotobynumber(ipinfo->protocol); if (pe == NULL) { printf("%d ", ipinfo->protocol); @@ -206,21 +205,21 @@ static void brip6_print(const void *ip, const struct xt_entry_match *match, } } if (ipinfo->bitmask & EBT_IP6_SPORT) { - printf("--ip6-sport "); if (ipinfo->invflags & EBT_IP6_SPORT) printf("! "); + printf("--ip6-sport "); print_port_range(ipinfo->sport); } if (ipinfo->bitmask & EBT_IP6_DPORT) { - printf("--ip6-dport "); if (ipinfo->invflags & EBT_IP6_DPORT) printf("! "); + printf("--ip6-dport "); print_port_range(ipinfo->dport); } if (ipinfo->bitmask & EBT_IP6_ICMP6) { - printf("--ip6-icmp-type "); if (ipinfo->invflags & EBT_IP6_ICMP6) printf("! "); + printf("--ip6-icmp-type "); print_icmp_type(ipinfo->icmpv6_type, ipinfo->icmpv6_code); } } diff --git a/extensions/libebt_ip6.t b/extensions/libebt_ip6.t index 19358431..58e3c73c 100644 --- a/extensions/libebt_ip6.t +++ b/extensions/libebt_ip6.t @@ -1,22 +1,22 @@ :INPUT,FORWARD,OUTPUT --p ip6 --ip6-src ! dead::beef/64 -j ACCEPT;-p IPv6 --ip6-src ! dead::/64 -j ACCEPT;OK +-p ip6 ! --ip6-src dead::beef/64 -j ACCEPT;-p IPv6 ! --ip6-src dead::/64 -j ACCEPT;OK -p IPv6 --ip6-dst dead:beef::/64 -j ACCEPT;=;OK -p IPv6 --ip6-dst f00:ba::;=;OK --p IPv6 --ip6-dst ! f00:ba::;=;OK +-p IPv6 ! --ip6-dst f00:ba::;=;OK -p IPv6 --ip6-src 10.0.0.1;;FAIL -p IPv6 --ip6-tclass 0xFF;=;OK --p IPv6 --ip6-tclass ! 0xFF;=;OK +-p IPv6 ! --ip6-tclass 0xFF;=;OK -p IPv6 --ip6-proto tcp --ip6-dport 22;=;OK --p IPv6 --ip6-proto tcp --ip6-dport ! 22;=;OK --p IPv6 --ip6-proto tcp --ip6-sport ! 22 --ip6-dport 22;=;OK +-p IPv6 --ip6-proto tcp ! --ip6-dport 22;=;OK +-p IPv6 --ip6-proto tcp ! --ip6-sport 22 --ip6-dport 22;=;OK -p IPv6 --ip6-proto udp --ip6-sport 1024:65535;=;OK -p IPv6 --ip6-proto 253;=;OK --p IPv6 --ip6-proto ! 253;=;OK +-p IPv6 ! --ip6-proto 253;=;OK -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type echo-request -j CONTINUE;=;OK -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type echo-request;=;OK --p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type ! echo-request;=;OK +-p IPv6 --ip6-proto ipv6-icmp ! --ip6-icmp-type echo-request;=;OK -p ip6 --ip6-protocol icmpv6 --ip6-icmp-type 1/1;-p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type communication-prohibited -j CONTINUE;OK --p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type ! 1:10/0:255;=;OK +-p IPv6 --ip6-proto ipv6-icmp ! --ip6-icmp-type 1:10/0:255;=;OK --ip6-proto ipv6-icmp ! --ip6-icmp-type 1:10/0:255;=;FAIL ! -p IPv6 --ip6-proto ipv6-icmp ! --ip6-icmp-type 1:10/0:255;=;FAIL -p IPv6 --ip6-proto tcp --ip6-sport 22 --ip6-icmp-type echo-request;;FAIL diff --git a/extensions/libebt_ip6.txlate b/extensions/libebt_ip6.txlate index 0debbe12..13d57e3a 100644 --- a/extensions/libebt_ip6.txlate +++ b/extensions/libebt_ip6.txlate @@ -25,5 +25,5 @@ nft 'add rule bridge filter FORWARD icmpv6 type 128 counter' ebtables-translate -A FORWARD -p ip6 --ip6-protocol icmpv6 --ip6-icmp-type 1/1 nft 'add rule bridge filter FORWARD icmpv6 type 1 icmpv6 code 1 counter' -ebtables-translate -A FORWARD -p ip6 --ip6-protocol icmpv6 --ip6-icmp-type ! 1:10 +ebtables-translate -A FORWARD -p ip6 --ip6-protocol icmpv6 ! --ip6-icmp-type 1:10 nft 'add rule bridge filter FORWARD icmpv6 type != 1-10 counter' diff --git a/extensions/libebt_mark_m.c b/extensions/libebt_mark_m.c index f17fe99a..8ee17207 100644 --- a/extensions/libebt_mark_m.c +++ b/extensions/libebt_mark_m.c @@ -29,7 +29,7 @@ static void brmark_m_print_help(void) { printf( "mark option:\n" -"--mark [!] [value][/mask]: Match nfmask value (see man page)\n"); +"[!] --mark [value][/mask]: Match nfmask value (see man page)\n"); } static void brmark_m_parse(struct xt_option_call *cb) @@ -63,9 +63,9 @@ static void brmark_m_print(const void *ip, const struct xt_entry_match *match, { struct ebt_mark_m_info *info = (struct ebt_mark_m_info *)match->data; - printf("--mark "); if (info->invert) printf("! "); + printf("--mark "); if (info->bitmask == EBT_MARK_OR) printf("/0x%lx ", info->mask); else if (info->mask != 0xffffffff) diff --git a/extensions/libebt_mark_m.t b/extensions/libebt_mark_m.t index 00035427..4de72bde 100644 --- a/extensions/libebt_mark_m.t +++ b/extensions/libebt_mark_m.t @@ -1,6 +1,6 @@ :INPUT,FORWARD,OUTPUT --mark 42;--mark 0x2a;OK ---mark ! 42;--mark ! 0x2a;OK +! --mark 42;! --mark 0x2a;OK --mark 42/0xff;--mark 0x2a/0xff;OK ---mark ! 0x1/0xff;=;OK +! --mark 0x1/0xff;=;OK --mark /0x2;=;OK diff --git a/extensions/libebt_mark_m.txlate b/extensions/libebt_mark_m.txlate index 2981a564..9061adbf 100644 --- a/extensions/libebt_mark_m.txlate +++ b/extensions/libebt_mark_m.txlate @@ -7,7 +7,7 @@ nft 'add rule bridge filter INPUT meta mark != 0x2a counter' ebtables-translate -A INPUT --mark ! 42 nft 'add rule bridge filter INPUT meta mark != 0x2a counter' -ebtables-translate -A INPUT --mark ! 0x1/0xff +ebtables-translate -A INPUT ! --mark 0x1/0xff nft 'add rule bridge filter INPUT meta mark and 0xff != 0x1 counter' ebtables-translate -A INPUT --mark /0x02 diff --git a/extensions/libebt_pkttype.c b/extensions/libebt_pkttype.c index b01b83a1..579e8fdb 100644 --- a/extensions/libebt_pkttype.c +++ b/extensions/libebt_pkttype.c @@ -38,7 +38,7 @@ static void brpkttype_print_help(void) { printf( "pkttype options:\n" -"--pkttype-type [!] type: class the packet belongs to\n" +"[!] --pkttype-type type: class the packet belongs to\n" "Possible values: broadcast, multicast, host, otherhost, or any other byte value (which would be pretty useless).\n"); } @@ -76,7 +76,7 @@ static void brpkttype_print(const void *ip, const struct xt_entry_match *match, { struct ebt_pkttype_info *pt = (struct ebt_pkttype_info *)match->data; - printf("--pkttype-type %s", pt->invert ? "! " : ""); + printf("%s--pkttype-type ", pt->invert ? "! " : ""); if (pt->pkt_type < ARRAY_SIZE(classes)) printf("%s ", classes[pt->pkt_type]); diff --git a/extensions/libebt_pkttype.t b/extensions/libebt_pkttype.t index e3b95ded..f3cdc19d 100644 --- a/extensions/libebt_pkttype.t +++ b/extensions/libebt_pkttype.t @@ -1,14 +1,14 @@ :INPUT,FORWARD,OUTPUT -! --pkttype-type host;--pkttype-type ! host -j CONTINUE;OK +--pkttype-type ! host;! --pkttype-type host -j CONTINUE;OK --pkttype-type host;=;OK ---pkttype-type ! host;=;OK +! --pkttype-type host;=;OK --pkttype-type broadcast;=;OK ---pkttype-type ! broadcast;=;OK +! --pkttype-type broadcast;=;OK --pkttype-type multicast;=;OK ---pkttype-type ! multicast;=;OK +! --pkttype-type multicast;=;OK --pkttype-type otherhost;=;OK ---pkttype-type ! otherhost;=;OK +! --pkttype-type otherhost;=;OK --pkttype-type outgoing;=;OK ---pkttype-type ! outgoing;=;OK +! --pkttype-type outgoing;=;OK --pkttype-type loopback;=;OK ---pkttype-type ! loopback;=;OK +! --pkttype-type loopback;=;OK diff --git a/extensions/libebt_standard.t b/extensions/libebt_standard.t index 370a12f4..3f1a459c 100644 --- a/extensions/libebt_standard.t +++ b/extensions/libebt_standard.t @@ -6,7 +6,8 @@ -d de:ad:be:ef:00:00 -j CONTINUE;=;OK -d de:ad:be:ef:0:00/ff:ff:ff:ff:0:0 -j DROP;-d de:ad:be:ef:00:00/ff:ff:ff:ff:00:00 -j DROP;OK -p ARP -j ACCEPT;=;OK --p ! ARP -j ACCEPT;=;OK +! -p ARP -j ACCEPT;=;OK +-p ! ARP -j ACCEPT;! -p ARP -j ACCEPT;OK -p 0 -j ACCEPT;=;FAIL -p ! 0 -j ACCEPT;=;FAIL :INPUT diff --git a/extensions/libebt_stp.c b/extensions/libebt_stp.c index 9b372d1d..81054b26 100644 --- a/extensions/libebt_stp.c +++ b/extensions/libebt_stp.c @@ -63,18 +63,18 @@ static void brstp_print_help(void) { printf( "stp options:\n" -"--stp-type type : BPDU type\n" -"--stp-flags flag : control flag\n" -"--stp-root-prio prio[:prio] : root priority (16-bit) range\n" -"--stp-root-addr address[/mask] : MAC address of root\n" -"--stp-root-cost cost[:cost] : root cost (32-bit) range\n" -"--stp-sender-prio prio[:prio] : sender priority (16-bit) range\n" -"--stp-sender-addr address[/mask] : MAC address of sender\n" -"--stp-port port[:port] : port id (16-bit) range\n" -"--stp-msg-age age[:age] : message age timer (16-bit) range\n" -"--stp-max-age age[:age] : maximum age timer (16-bit) range\n" -"--stp-hello-time time[:time] : hello time timer (16-bit) range\n" -"--stp-forward-delay delay[:delay]: forward delay timer (16-bit) range\n" +"[!] --stp-type type : BPDU type\n" +"[!] --stp-flags flag : control flag\n" +"[!] --stp-root-prio prio[:prio] : root priority (16-bit) range\n" +"[!] --stp-root-addr address[/mask] : MAC address of root\n" +"[!] --stp-root-cost cost[:cost] : root cost (32-bit) range\n" +"[!] --stp-sender-prio prio[:prio] : sender priority (16-bit) range\n" +"[!] --stp-sender-addr address[/mask] : MAC address of sender\n" +"[!] --stp-port port[:port] : port id (16-bit) range\n" +"[!] --stp-msg-age age[:age] : message age timer (16-bit) range\n" +"[!] --stp-max-age age[:age] : maximum age timer (16-bit) range\n" +"[!] --stp-hello-time time[:time] : hello time timer (16-bit) range\n" +"[!] --stp-forward-delay delay[:delay]: forward delay timer (16-bit) range\n" " Recognized BPDU type strings:\n" " \"config\": configuration BPDU (=0)\n" " \"tcn\" : topology change notification BPDU (=0x80)\n" @@ -184,8 +184,9 @@ static void brstp_print(const void *ip, const struct xt_entry_match *match, for (i = 0; (1 << i) < EBT_STP_MASK; i++) { if (!(stpinfo->bitmask & (1 << i))) continue; - printf("--%s %s", brstp_opts[i].name, - (stpinfo->invflags & (1 << i)) ? "! " : ""); + printf("%s--%s ", + (stpinfo->invflags & (1 << i)) ? "! " : "", + brstp_opts[i].name); if (EBT_STP_TYPE == (1 << i)) { if (stpinfo->type == BPDU_TYPE_CONFIG) printf("%s", BPDU_TYPE_CONFIG_STRING); diff --git a/extensions/libebt_stp.t b/extensions/libebt_stp.t index b3c7e5f3..06df6073 100644 --- a/extensions/libebt_stp.t +++ b/extensions/libebt_stp.t @@ -1,29 +1,29 @@ :INPUT,FORWARD,OUTPUT --stp-type 1;=;OK ---stp-type ! 1;=;OK +! --stp-type 1;=;OK --stp-flags 0x1;--stp-flags topology-change -j CONTINUE;OK ---stp-flags ! topology-change;=;OK +! --stp-flags topology-change;=;OK --stp-root-prio 1 -j ACCEPT;=;OK ---stp-root-prio ! 1 -j ACCEPT;=;OK +! --stp-root-prio 1 -j ACCEPT;=;OK --stp-root-addr 0d:ea:d0:0b:ee:f0;=;OK ---stp-root-addr ! 0d:ea:d0:0b:ee:f0;=;OK +! --stp-root-addr 0d:ea:d0:0b:ee:f0;=;OK --stp-root-addr 0d:ea:d0:00:00:00/ff:ff:ff:00:00:00;=;OK ---stp-root-addr ! 0d:ea:d0:00:00:00/ff:ff:ff:00:00:00;=;OK +! --stp-root-addr 0d:ea:d0:00:00:00/ff:ff:ff:00:00:00;=;OK --stp-root-cost 1;=;OK ---stp-root-cost ! 1;=;OK +! --stp-root-cost 1;=;OK --stp-sender-prio 1;=;OK ---stp-sender-prio ! 1;=;OK +! --stp-sender-prio 1;=;OK --stp-sender-addr de:ad:be:ef:00:00;=;OK ---stp-sender-addr ! de:ad:be:ef:00:00;=;OK +! --stp-sender-addr de:ad:be:ef:00:00;=;OK --stp-sender-addr de:ad:be:ef:00:00/ff:ff:ff:ff:00:00;=;OK ---stp-sender-addr ! de:ad:be:ef:00:00/ff:ff:ff:ff:00:00;=;OK +! --stp-sender-addr de:ad:be:ef:00:00/ff:ff:ff:ff:00:00;=;OK --stp-port 1;=;OK ---stp-port ! 1;=;OK +! --stp-port 1;=;OK --stp-msg-age 1;=;OK ---stp-msg-age ! 1;=;OK +! --stp-msg-age 1;=;OK --stp-max-age 1;=;OK ---stp-max-age ! 1;=;OK +! --stp-max-age 1;=;OK --stp-hello-time 1;=;OK ---stp-hello-time ! 1;=;OK +! --stp-hello-time 1;=;OK --stp-forward-delay 1;=;OK ---stp-forward-delay ! 1;=;OK +! --stp-forward-delay 1;=;OK diff --git a/extensions/libebt_vlan.c b/extensions/libebt_vlan.c index 7f5aa8cd..b9f6c519 100644 --- a/extensions/libebt_vlan.c +++ b/extensions/libebt_vlan.c @@ -34,9 +34,9 @@ static void brvlan_print_help(void) { printf( "vlan options:\n" -"--vlan-id [!] id : vlan-tagged frame identifier, 0,1-4096 (integer)\n" -"--vlan-prio [!] prio : Priority-tagged frame's user priority, 0-7 (integer)\n" -"--vlan-encap [!] encap : Encapsulated frame protocol (hexadecimal or name)\n"); +"[!] --vlan-id id : vlan-tagged frame identifier, 0,1-4096 (integer)\n" +"[!] --vlan-prio prio : Priority-tagged frame's user priority, 0-7 (integer)\n" +"[!] --vlan-encap encap : Encapsulated frame protocol (hexadecimal or name)\n"); } static void brvlan_parse(struct xt_option_call *cb) @@ -75,14 +75,19 @@ static void brvlan_print(const void *ip, const struct xt_entry_match *match, struct ebt_vlan_info *vlaninfo = (struct ebt_vlan_info *) match->data; if (vlaninfo->bitmask & EBT_VLAN_ID) { - printf("--vlan-id %s%d ", (vlaninfo->invflags & EBT_VLAN_ID) ? "! " : "", vlaninfo->id); + printf("%s--vlan-id %d ", + (vlaninfo->invflags & EBT_VLAN_ID) ? "! " : "", + vlaninfo->id); } if (vlaninfo->bitmask & EBT_VLAN_PRIO) { - printf("--vlan-prio %s%d ", (vlaninfo->invflags & EBT_VLAN_PRIO) ? "! " : "", vlaninfo->prio); + printf("%s--vlan-prio %d ", + (vlaninfo->invflags & EBT_VLAN_PRIO) ? "! " : "", + vlaninfo->prio); } if (vlaninfo->bitmask & EBT_VLAN_ENCAP) { - printf("--vlan-encap %s", (vlaninfo->invflags & EBT_VLAN_ENCAP) ? "! " : ""); - printf("%4.4X ", ntohs(vlaninfo->encap)); + printf("%s--vlan-encap %4.4X ", + (vlaninfo->invflags & EBT_VLAN_ENCAP) ? "! " : "", + ntohs(vlaninfo->encap)); } } diff --git a/extensions/libebt_vlan.t b/extensions/libebt_vlan.t index 3ec05599..e009ad71 100644 --- a/extensions/libebt_vlan.t +++ b/extensions/libebt_vlan.t @@ -1,13 +1,13 @@ :INPUT,FORWARD,OUTPUT -p 802_1Q --vlan-id 42;=;OK --p 802_1Q --vlan-id ! 42;=;OK +-p 802_1Q ! --vlan-id 42;=;OK -p 802_1Q --vlan-prio 1;=;OK --p 802_1Q --vlan-prio ! 1;=;OK +-p 802_1Q ! --vlan-prio 1;=;OK -p 802_1Q --vlan-encap ip;-p 802_1Q --vlan-encap 0800 -j CONTINUE;OK -p 802_1Q --vlan-encap 0800;=;OK --p 802_1Q --vlan-encap ! 0800;=;OK --p 802_1Q --vlan-encap IPv6 ! --vlan-id 1;-p 802_1Q --vlan-id ! 1 --vlan-encap 86DD -j CONTINUE;OK --p 802_1Q --vlan-id ! 1 --vlan-encap 86DD;=;OK +-p 802_1Q ! --vlan-encap 0800;=;OK +-p 802_1Q --vlan-encap IPv6 --vlan-id ! 1;-p 802_1Q ! --vlan-id 1 --vlan-encap 86DD -j CONTINUE;OK +-p 802_1Q ! --vlan-id 1 --vlan-encap 86DD;=;OK --vlan-encap ip;=;FAIL --vlan-id 2;=;FAIL --vlan-prio 1;=;FAIL diff --git a/extensions/libebt_vlan.txlate b/extensions/libebt_vlan.txlate index 5d21e3eb..6e12e2d0 100644 --- a/extensions/libebt_vlan.txlate +++ b/extensions/libebt_vlan.txlate @@ -1,7 +1,7 @@ ebtables-translate -A INPUT -p 802_1Q --vlan-id 42 nft 'add rule bridge filter INPUT vlan id 42 counter' -ebtables-translate -A INPUT -p 802_1Q --vlan-prio ! 1 +ebtables-translate -A INPUT -p 802_1Q ! --vlan-prio 1 nft 'add rule bridge filter INPUT vlan pcp != 1 counter' ebtables-translate -A INPUT -p 802_1Q --vlan-encap ip |