diff options
Diffstat (limited to 'iptables/nft-ipv4.c')
-rw-r--r-- | iptables/nft-ipv4.c | 47 |
1 files changed, 29 insertions, 18 deletions
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index a2c58060..140093cd 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -31,37 +31,42 @@ static int nft_ipv4_add(struct nft_rule *r, void *data) struct xtables_rule_match *matchp; uint32_t op; - if (cs->fw.ip.iniface[0] != '\0') - add_iniface(r, cs->fw.ip.iniface, cs->fw.ip.invflags); + if (cs->fw.ip.iniface[0] != '\0') { + op = nft_invflags2cmp(cs->fw.ip.invflags, IPT_INV_VIA_IN); + add_iniface(r, cs->fw.ip.iniface, op); + } - if (cs->fw.ip.outiface[0] != '\0') - add_outiface(r, cs->fw.ip.outiface, cs->fw.ip.invflags); + if (cs->fw.ip.outiface[0] != '\0') { + op = nft_invflags2cmp(cs->fw.ip.invflags, IPT_INV_VIA_OUT); + add_outiface(r, cs->fw.ip.outiface, op); + } - if (cs->fw.ip.proto != 0) + if (cs->fw.ip.proto != 0) { + op = nft_invflags2cmp(cs->fw.ip.invflags, XT_INV_PROTO); add_proto(r, offsetof(struct iphdr, protocol), 1, - cs->fw.ip.proto, cs->fw.ip.invflags); + cs->fw.ip.proto, op); + } if (cs->fw.ip.src.s_addr != 0) { + op = nft_invflags2cmp(cs->fw.ip.invflags, IPT_INV_SRCIP); add_addr(r, offsetof(struct iphdr, saddr), &cs->fw.ip.src.s_addr, &cs->fw.ip.smsk.s_addr, - sizeof(struct in_addr), cs->fw.ip.invflags); + sizeof(struct in_addr), op); } if (cs->fw.ip.dst.s_addr != 0) { + op = nft_invflags2cmp(cs->fw.ip.invflags, IPT_INV_DSTIP); add_addr(r, offsetof(struct iphdr, daddr), &cs->fw.ip.dst.s_addr, &cs->fw.ip.dmsk.s_addr, - sizeof(struct in_addr), cs->fw.ip.invflags); + sizeof(struct in_addr), op); } if (cs->fw.ip.flags & IPT_F_FRAG) { - add_payload(r, offsetof(struct iphdr, frag_off), 2); + add_payload(r, offsetof(struct iphdr, frag_off), 2, + NFT_PAYLOAD_NETWORK_HEADER); /* get the 13 bits that contain the fragment offset */ add_bitwise_u16(r, 0x1fff, !0x1fff); /* if offset is non-zero, this is a fragment */ - if (cs->fw.ip.invflags & IPT_INV_FRAG) - op = NFT_CMP_EQ; - else - op = NFT_CMP_NEQ; - + op = nft_invflags2cmp(cs->fw.ip.invflags, IPT_INV_FRAG); add_cmp_u16(r, 0, op); } @@ -118,6 +123,8 @@ static void get_frag(struct nft_xt_ctx *ctx, struct nft_rule_expr *e, bool *inv) *inv = true; else *inv = false; + + ctx->flags &= ~NFT_XT_CTX_BITWISE; } static const char *mask_to_str(uint32_t mask) @@ -173,10 +180,12 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx, case offsetof(struct iphdr, saddr): get_cmp_data(e, &addr, sizeof(addr), &inv); cs->fw.ip.src.s_addr = addr.s_addr; - if (ctx->flags & NFT_XT_CTX_BITWISE) + if (ctx->flags & NFT_XT_CTX_BITWISE) { parse_mask_ipv4(ctx, &cs->fw.ip.smsk); - else + ctx->flags &= ~NFT_XT_CTX_BITWISE; + } else { cs->fw.ip.smsk.s_addr = 0xffffffff; + } if (inv) cs->fw.ip.invflags |= IPT_INV_SRCIP; @@ -184,10 +193,12 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx, case offsetof(struct iphdr, daddr): get_cmp_data(e, &addr, sizeof(addr), &inv); cs->fw.ip.dst.s_addr = addr.s_addr; - if (ctx->flags & NFT_XT_CTX_BITWISE) + if (ctx->flags & NFT_XT_CTX_BITWISE) { parse_mask_ipv4(ctx, &cs->fw.ip.dmsk); - else + ctx->flags &= ~NFT_XT_CTX_BITWISE; + } else { cs->fw.ip.dmsk.s_addr = 0xffffffff; + } if (inv) cs->fw.ip.invflags |= IPT_INV_DSTIP; |