summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--extensions/libxt_conntrack.c30
-rw-r--r--extensions/libxt_conntrack.txlate8
2 files changed, 28 insertions, 10 deletions
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 91f9e4aa..7f7b45ee 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1200,26 +1200,39 @@ static int state_xlate(struct xt_xlate *xl,
return 1;
}
-static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask)
+static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask, int inverted)
{
const char *sep = "";
+ int one_flag_set;
+
+ one_flag_set = !(statusmask & (statusmask - 1));
+
+ if (inverted && !one_flag_set)
+ xt_xlate_add(xl, "& (");
+ else if (inverted)
+ xt_xlate_add(xl, "& ");
if (statusmask & IPS_EXPECTED) {
xt_xlate_add(xl, "%s%s", sep, "expected");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
if (statusmask & IPS_SEEN_REPLY) {
xt_xlate_add(xl, "%s%s", sep, "seen-reply");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
if (statusmask & IPS_ASSURED) {
xt_xlate_add(xl, "%s%s", sep, "assured");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
if (statusmask & IPS_CONFIRMED) {
xt_xlate_add(xl, "%s%s", sep, "confirmed");
- sep = ",";
+ sep = inverted && !one_flag_set ? "|" : ",";
}
+
+ if (inverted && !one_flag_set)
+ xt_xlate_add(xl, ") == 0");
+ else if (inverted)
+ xt_xlate_add(xl, " == 0");
}
static void addr_xlate_print(struct xt_xlate *xl,
@@ -1277,10 +1290,9 @@ static int _conntrack3_mt_xlate(struct xt_xlate *xl,
}
if (sinfo->match_flags & XT_CONNTRACK_STATUS) {
- xt_xlate_add(xl, "%sct status %s", space,
- sinfo->invert_flags & XT_CONNTRACK_STATUS ?
- "!= " : "");
- status_xlate_print(xl, sinfo->status_mask);
+ xt_xlate_add(xl, "%sct status ", space);
+ status_xlate_print(xl, sinfo->status_mask,
+ sinfo->invert_flags & XT_CONNTRACK_STATUS);
space = " ";
}
diff --git a/extensions/libxt_conntrack.txlate b/extensions/libxt_conntrack.txlate
index 5ab85b17..8cc7c504 100644
--- a/extensions/libxt_conntrack.txlate
+++ b/extensions/libxt_conntrack.txlate
@@ -35,7 +35,13 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstatus EXPECTED -j ACCEPT
nft add rule ip filter INPUT ct status expected counter accept
iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT
-nft add rule ip filter INPUT ct status != confirmed counter accept
+nft add rule ip filter INPUT ct status & confirmed == 0 counter accept
+
+iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED,ASSURED -j ACCEPT
+nft add rule ip filter INPUT ct status & (assured|confirmed) == 0 counter accept
+
+iptables-translate -t filter -A INPUT -m conntrack --ctstatus CONFIRMED,ASSURED -j ACCEPT
+nft add rule ip filter INPUT ct status assured,confirmed counter accept
iptables-translate -t filter -A INPUT -m conntrack --ctexpire 3 -j ACCEPT
nft add rule ip filter INPUT ct expiration 3 counter accept