summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--extensions/libebt_standard.t4
-rw-r--r--extensions/libip6t_standard.t3
-rw-r--r--extensions/libxt_standard.t2
-rw-r--r--iptables/nft-arp.c4
-rw-r--r--iptables/nft-bridge.c38
-rw-r--r--iptables/nft-ipv4.c4
-rw-r--r--iptables/nft-ipv6.c4
-rw-r--r--iptables/nft-shared.c45
-rw-r--r--iptables/nft-shared.h4
9 files changed, 36 insertions, 72 deletions
diff --git a/extensions/libebt_standard.t b/extensions/libebt_standard.t
index 97cb3baa..370a12f4 100644
--- a/extensions/libebt_standard.t
+++ b/extensions/libebt_standard.t
@@ -14,6 +14,10 @@
-o foobar;=;FAIL
--logical-in br0;=;OK
--logical-out br1;=;FAIL
+-i + -d 00:0f:ee:d0:ba:be;-d 00:0f:ee:d0:ba:be;OK
+-i + -p ip;-p IPv4;OK
+--logical-in + -d 00:0f:ee:d0:ba:be;-d 00:0f:ee:d0:ba:be;OK
+--logical-in + -p ip;-p IPv4;OK
:FORWARD
-i foobar;=;OK
-o foobar;=;OK
diff --git a/extensions/libip6t_standard.t b/extensions/libip6t_standard.t
index a528af10..0c559cc5 100644
--- a/extensions/libip6t_standard.t
+++ b/extensions/libip6t_standard.t
@@ -3,3 +3,6 @@
! -d ::;! -d ::/128;OK
! -s ::;! -s ::/128;OK
-s ::/64;=;OK
+:INPUT
+-i + -d c0::fe;-d c0::fe/128;OK
+-i + -p tcp;-p tcp;OK
diff --git a/extensions/libxt_standard.t b/extensions/libxt_standard.t
index 6ed978e4..7c83cfa3 100644
--- a/extensions/libxt_standard.t
+++ b/extensions/libxt_standard.t
@@ -24,3 +24,5 @@
:FORWARD
--protocol=tcp --source=1.2.3.4 --destination=5.6.7.8/32 --in-interface=eth0 --out-interface=eth1 --jump=ACCEPT;-s 1.2.3.4/32 -d 5.6.7.8/32 -i eth0 -o eth1 -p tcp -j ACCEPT;OK
-ptcp -s1.2.3.4 -d5.6.7.8/32 -ieth0 -oeth1 -jACCEPT;-s 1.2.3.4/32 -d 5.6.7.8/32 -i eth0 -o eth1 -p tcp -j ACCEPT;OK
+-i + -d 1.2.3.4;-d 1.2.3.4/32;OK
+-i + -p tcp;-p tcp;OK
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 9868966a..aed39ebd 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -49,12 +49,12 @@ static int nft_arp_add(struct nft_handle *h, struct nft_rule_ctx *ctx,
if (fw->arp.iniface[0] != '\0') {
op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_VIA_IN);
- add_iniface(h, r, fw->arp.iniface, op);
+ add_iface(h, r, fw->arp.iniface, NFT_META_IIFNAME, op);
}
if (fw->arp.outiface[0] != '\0') {
op = nft_invflags2cmp(fw->arp.invflags, IPT_INV_VIA_OUT);
- add_outiface(h, r, fw->arp.outiface, op);
+ add_iface(h, r, fw->arp.outiface, NFT_META_OIFNAME, op);
}
if (fw->arp.arhrd != 0 ||
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 391a8ab7..d9a8ad2b 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -65,36 +65,6 @@ static void ebt_print_mac_and_mask(const unsigned char *mac, const unsigned char
xtables_print_mac_and_mask(mac, mask);
}
-static void add_logical_iniface(struct nft_handle *h, struct nftnl_rule *r,
- char *iface, uint32_t op)
-{
- int iface_len;
- uint8_t reg;
-
- iface_len = strlen(iface);
-
- add_meta(h, r, NFT_META_BRI_IIFNAME, &reg);
- if (iface[iface_len - 1] == '+')
- add_cmp_ptr(r, op, iface, iface_len - 1, reg);
- else
- add_cmp_ptr(r, op, iface, iface_len + 1, reg);
-}
-
-static void add_logical_outiface(struct nft_handle *h, struct nftnl_rule *r,
- char *iface, uint32_t op)
-{
- int iface_len;
- uint8_t reg;
-
- iface_len = strlen(iface);
-
- add_meta(h, r, NFT_META_BRI_OIFNAME, &reg);
- if (iface[iface_len - 1] == '+')
- add_cmp_ptr(r, op, iface, iface_len - 1, reg);
- else
- add_cmp_ptr(r, op, iface, iface_len + 1, reg);
-}
-
static int add_meta_broute(struct nftnl_rule *r)
{
struct nftnl_expr *expr;
@@ -180,22 +150,22 @@ static int nft_bridge_add(struct nft_handle *h, struct nft_rule_ctx *ctx,
if (fw->in[0] != '\0') {
op = nft_invflags2cmp(fw->invflags, EBT_IIN);
- add_iniface(h, r, fw->in, op);
+ add_iface(h, r, fw->in, NFT_META_IIFNAME, op);
}
if (fw->out[0] != '\0') {
op = nft_invflags2cmp(fw->invflags, EBT_IOUT);
- add_outiface(h, r, fw->out, op);
+ add_iface(h, r, fw->out, NFT_META_OIFNAME, op);
}
if (fw->logical_in[0] != '\0') {
op = nft_invflags2cmp(fw->invflags, EBT_ILOGICALIN);
- add_logical_iniface(h, r, fw->logical_in, op);
+ add_iface(h, r, fw->logical_in, NFT_META_BRI_IIFNAME, op);
}
if (fw->logical_out[0] != '\0') {
op = nft_invflags2cmp(fw->invflags, EBT_ILOGICALOUT);
- add_logical_outiface(h, r, fw->logical_out, op);
+ add_iface(h, r, fw->logical_out, NFT_META_BRI_OIFNAME, op);
}
if ((fw->bitmask & EBT_NOPROTO) == 0) {
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 2f10220e..75912847 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -51,12 +51,12 @@ static int nft_ipv4_add(struct nft_handle *h, struct nft_rule_ctx *ctx,
if (cs->fw.ip.iniface[0] != '\0') {
op = nft_invflags2cmp(cs->fw.ip.invflags, IPT_INV_VIA_IN);
- add_iniface(h, r, cs->fw.ip.iniface, op);
+ add_iface(h, r, cs->fw.ip.iniface, NFT_META_IIFNAME, op);
}
if (cs->fw.ip.outiface[0] != '\0') {
op = nft_invflags2cmp(cs->fw.ip.invflags, IPT_INV_VIA_OUT);
- add_outiface(h, r, cs->fw.ip.outiface, op);
+ add_iface(h, r, cs->fw.ip.outiface, NFT_META_OIFNAME, op);
}
if (cs->fw.ip.proto != 0) {
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index d53f87c1..5aef365b 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -54,12 +54,12 @@ static int nft_ipv6_add(struct nft_handle *h, struct nft_rule_ctx *ctx,
if (cs->fw6.ipv6.iniface[0] != '\0') {
op = nft_invflags2cmp(cs->fw6.ipv6.invflags, IPT_INV_VIA_IN);
- add_iniface(h, r, cs->fw6.ipv6.iniface, op);
+ add_iface(h, r, cs->fw6.ipv6.iniface, NFT_META_IIFNAME, op);
}
if (cs->fw6.ipv6.outiface[0] != '\0') {
op = nft_invflags2cmp(cs->fw6.ipv6.invflags, IPT_INV_VIA_OUT);
- add_outiface(h, r, cs->fw6.ipv6.outiface, op);
+ add_iface(h, r, cs->fw6.ipv6.outiface, NFT_META_OIFNAME, op);
}
if (cs->fw6.ipv6.proto != 0) {
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 34ca9d16..6775578b 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -147,44 +147,29 @@ void add_cmp_u32(struct nftnl_rule *r, uint32_t val, uint32_t op, uint8_t sreg)
add_cmp_ptr(r, op, &val, sizeof(val), sreg);
}
-void add_iniface(struct nft_handle *h, struct nftnl_rule *r,
- char *iface, uint32_t op)
+void add_iface(struct nft_handle *h, struct nftnl_rule *r,
+ char *iface, uint32_t key, uint32_t op)
{
- int iface_len;
+ int iface_len = strlen(iface);
uint8_t reg;
- iface_len = strlen(iface);
- add_meta(h, r, NFT_META_IIFNAME, &reg);
if (iface[iface_len - 1] == '+') {
- if (iface_len > 1)
- add_cmp_ptr(r, op, iface, iface_len - 1, reg);
- else if (op != NFT_CMP_EQ)
- add_cmp_ptr(r, NFT_CMP_EQ, "INVAL/D",
- strlen("INVAL/D") + 1, reg);
+ if (iface_len > 1) {
+ iface_len -= 1;
+ } else if (op != NFT_CMP_EQ) {
+ op = NFT_CMP_EQ;
+ iface = "INVAL/D";
+ iface_len = strlen(iface) + 1;
+ } else {
+ return; /* -o + */
+ }
} else {
- add_cmp_ptr(r, op, iface, iface_len + 1, reg);
+ iface_len += 1;
}
-}
-
-void add_outiface(struct nft_handle *h, struct nftnl_rule *r,
- char *iface, uint32_t op)
-{
- int iface_len;
- uint8_t reg;
- iface_len = strlen(iface);
-
- add_meta(h, r, NFT_META_OIFNAME, &reg);
- if (iface[iface_len - 1] == '+') {
- if (iface_len > 1)
- add_cmp_ptr(r, op, iface, iface_len - 1, reg);
- else if (op != NFT_CMP_EQ)
- add_cmp_ptr(r, NFT_CMP_EQ, "INVAL/D",
- strlen("INVAL/D") + 1, reg);
- } else {
- add_cmp_ptr(r, op, iface, iface_len + 1, reg);
- }
+ add_meta(h, r, key, &reg);
+ add_cmp_ptr(r, op, iface, iface_len, reg);
}
void add_addr(struct nft_handle *h, struct nftnl_rule *r,
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 4f47058d..51d1e460 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -95,8 +95,8 @@ void add_cmp_ptr(struct nftnl_rule *r, uint32_t op, void *data, size_t len, uint
void add_cmp_u8(struct nftnl_rule *r, uint8_t val, uint32_t op, uint8_t sreg);
void add_cmp_u16(struct nftnl_rule *r, uint16_t val, uint32_t op, uint8_t sreg);
void add_cmp_u32(struct nftnl_rule *r, uint32_t val, uint32_t op, uint8_t sreg);
-void add_iniface(struct nft_handle *h, struct nftnl_rule *r, char *iface, uint32_t op);
-void add_outiface(struct nft_handle *h, struct nftnl_rule *r, char *iface, uint32_t op);
+void add_iface(struct nft_handle *h, struct nftnl_rule *r,
+ char *iface, uint32_t key, uint32_t op);
void add_addr(struct nft_handle *h, struct nftnl_rule *r, enum nft_payload_bases base, int offset,
void *data, void *mask, size_t len, uint32_t op);
void add_proto(struct nft_handle *h, struct nftnl_rule *r, int offset, size_t len,