diff options
Diffstat (limited to 'iptables')
| -rw-r--r-- | iptables/nft-ipv4.c | 23 | ||||
| -rw-r--r-- | iptables/nft-ipv6.c | 23 | ||||
| -rw-r--r-- | iptables/nft.c | 6 | ||||
| -rw-r--r-- | iptables/nft.h | 1 | ||||
| -rw-r--r-- | iptables/xshared.c | 2 | ||||
| -rw-r--r-- | iptables/xtables-translate.c | 17 |
6 files changed, 42 insertions, 30 deletions
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 0ce8477f..74092875 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -200,6 +200,7 @@ static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr, static int nft_ipv4_xlate(const struct iptables_command_state *cs, struct xt_xlate *xl) { + uint16_t proto = cs->fw.ip.proto; const char *comment; int ret; @@ -213,18 +214,16 @@ static int nft_ipv4_xlate(const struct iptables_command_state *cs, cs->fw.ip.invflags & IPT_INV_FRAG? "" : "!= ", 0); } - if (cs->fw.ip.proto != 0) { - const char *pname = proto_to_name(cs->fw.ip.proto, 0); - - if (!pname || !xlate_find_match(cs, pname)) { - xt_xlate_add(xl, "ip protocol"); - if (cs->fw.ip.invflags & IPT_INV_PROTO) - xt_xlate_add(xl, " !="); - if (pname) - xt_xlate_add(xl, "%s", pname); - else - xt_xlate_add(xl, "%hu", cs->fw.ip.proto); - } + if (proto != 0 && !xlate_find_protomatch(cs, proto)) { + const char *pname = proto_to_name(proto, 0); + + xt_xlate_add(xl, "ip protocol"); + if (cs->fw.ip.invflags & IPT_INV_PROTO) + xt_xlate_add(xl, " !="); + if (pname) + xt_xlate_add(xl, "%s", pname); + else + xt_xlate_add(xl, "%hu", proto); } xlate_ipv4_addr("ip saddr", &cs->fw.ip.src, &cs->fw.ip.smsk, diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index c371ba8c..b184f8af 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -184,6 +184,7 @@ static void xlate_ipv6_addr(const char *selector, const struct in6_addr *addr, static int nft_ipv6_xlate(const struct iptables_command_state *cs, struct xt_xlate *xl) { + uint16_t proto = cs->fw6.ipv6.proto; const char *comment; int ret; @@ -192,18 +193,16 @@ static int nft_ipv6_xlate(const struct iptables_command_state *cs, xlate_ifname(xl, "oifname", cs->fw6.ipv6.outiface, cs->fw6.ipv6.invflags & IP6T_INV_VIA_OUT); - if (cs->fw6.ipv6.proto != 0) { - const char *pname = proto_to_name(cs->fw6.ipv6.proto, 0); - - if (!pname || !xlate_find_match(cs, pname)) { - xt_xlate_add(xl, "meta l4proto"); - if (cs->fw6.ipv6.invflags & IP6T_INV_PROTO) - xt_xlate_add(xl, " !="); - if (pname) - xt_xlate_add(xl, "%s", pname); - else - xt_xlate_add(xl, "%hu", cs->fw6.ipv6.proto); - } + if (proto != 0 && !xlate_find_protomatch(cs, proto)) { + const char *pname = proto_to_name(proto, 0); + + xt_xlate_add(xl, "meta l4proto"); + if (cs->fw6.ipv6.invflags & IP6T_INV_PROTO) + xt_xlate_add(xl, " !="); + if (pname) + xt_xlate_add(xl, "%s", pname); + else + xt_xlate_add(xl, "%hu", proto); } xlate_ipv6_addr("ip6 saddr", &cs->fw6.ipv6.src, &cs->fw6.ipv6.smsk, diff --git a/iptables/nft.c b/iptables/nft.c index ee63c3dc..884cc77e 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1307,14 +1307,12 @@ static int add_nft_tcpudp(struct nft_handle *h,struct nftnl_rule *r, uint8_t reg; int ret; - if (src[0] && src[0] == src[1] && + if (!invert_src && + src[0] && src[0] == src[1] && dst[0] && dst[0] == dst[1] && invert_src == invert_dst) { uint32_t combined = dst[0] | (src[0] << 16); - if (invert_src) - op = NFT_CMP_NEQ; - expr = gen_payload(h, NFT_PAYLOAD_TRANSPORT_HEADER, 0, 4, ®); if (!expr) return -ENOMEM; diff --git a/iptables/nft.h b/iptables/nft.h index 57533b65..b2a8484f 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -242,6 +242,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, boo struct xt_buf; bool xlate_find_match(const struct iptables_command_state *cs, const char *p_name); +bool xlate_find_protomatch(const struct iptables_command_state *cs, uint16_t proto); int xlate_matches(const struct iptables_command_state *cs, struct xt_xlate *xl); int xlate_action(const struct iptables_command_state *cs, bool goto_set, struct xt_xlate *xl); diff --git a/iptables/xshared.c b/iptables/xshared.c index b998dd75..b1997ea3 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -1885,7 +1885,7 @@ void do_parse(int argc, char *argv[], set_option(p->ops, &cs->options, OPT_COUNTERS, &args->invflags, invert); args->pcnt = optarg; - args->bcnt = strchr(args->pcnt + 1, ','); + args->bcnt = strchr(args->pcnt, ','); if (args->bcnt) args->bcnt++; if (!args->bcnt && xs_has_arg(argc, argv)) diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c index 8ebe523c..3d8617f0 100644 --- a/iptables/xtables-translate.c +++ b/iptables/xtables-translate.c @@ -131,7 +131,6 @@ bool xlate_find_match(const struct iptables_command_state *cs, const char *p_nam { struct xtables_rule_match *matchp; - /* Skip redundant protocol, eg. ip protocol tcp tcp dport */ for (matchp = cs->matches; matchp; matchp = matchp->next) { if (strcmp(matchp->match->name, p_name) == 0) return true; @@ -139,6 +138,22 @@ bool xlate_find_match(const struct iptables_command_state *cs, const char *p_nam return false; } +bool xlate_find_protomatch(const struct iptables_command_state *cs, + uint16_t proto) +{ + struct protoent *pent; + int i; + + /* Skip redundant protocol, eg. ip protocol tcp tcp dport */ + for (i = 0; xtables_chain_protos[i].name != NULL; i++) { + if (xtables_chain_protos[i].num == proto && + xlate_find_match(cs, xtables_chain_protos[i].name)) + return true; + } + pent = getprotobynumber(proto); + return pent && xlate_find_match(cs, pent->p_name); +} + const char *family2str[] = { [NFPROTO_ARP] = "arp", [NFPROTO_IPV4] = "ip", |