diff options
Diffstat (limited to 'iptables')
-rw-r--r-- | iptables/nft-ipv4.c | 42 | ||||
-rw-r--r-- | iptables/nft-ipv6.c | 19 |
2 files changed, 46 insertions, 15 deletions
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index fdc15c6f..0d32a300 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -383,6 +383,32 @@ static void nft_ipv4_post_parse(int command, " source or destination IP addresses"); } +static void xlate_ipv4_addr(const char *selector, const struct in_addr *addr, + const struct in_addr *mask, + bool inv, struct xt_xlate *xl) +{ + const char *op = inv ? "!= " : ""; + int cidr; + + if (!inv && !addr->s_addr && !mask->s_addr) + return; + + cidr = xtables_ipmask_to_cidr(mask); + switch (cidr) { + case -1: + /* inet_ntoa() is not reentrant */ + xt_xlate_add(xl, "%s & %s ", selector, inet_ntoa(*mask)); + xt_xlate_add(xl, "%s %s ", inv ? "!=" : "==", inet_ntoa(*addr)); + break; + case 32: + xt_xlate_add(xl, "%s %s%s ", selector, op, inet_ntoa(*addr)); + break; + default: + xt_xlate_add(xl, "%s %s%s/%d ", selector, op, inet_ntoa(*addr), + cidr); + } +} + static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl) { const struct iptables_command_state *cs = data; @@ -417,18 +443,10 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl) } } - if (cs->fw.ip.src.s_addr != 0) { - xt_xlate_add(xl, "ip saddr %s%s%s ", - cs->fw.ip.invflags & IPT_INV_SRCIP ? "!= " : "", - inet_ntoa(cs->fw.ip.src), - xtables_ipmask_to_numeric(&cs->fw.ip.smsk)); - } - if (cs->fw.ip.dst.s_addr != 0) { - xt_xlate_add(xl, "ip daddr %s%s%s ", - cs->fw.ip.invflags & IPT_INV_DSTIP ? "!= " : "", - inet_ntoa(cs->fw.ip.dst), - xtables_ipmask_to_numeric(&cs->fw.ip.dmsk)); - } + xlate_ipv4_addr("ip saddr", &cs->fw.ip.src, &cs->fw.ip.smsk, + cs->fw.ip.invflags & IPT_INV_SRCIP, xl); + xlate_ipv4_addr("ip daddr", &cs->fw.ip.dst, &cs->fw.ip.dmsk, + cs->fw.ip.invflags & IPT_INV_DSTIP, xl); ret = xlate_matches(cs, xl); if (!ret) diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 130ad3e6..46008fc5 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -337,14 +337,27 @@ static void xlate_ipv6_addr(const char *selector, const struct in6_addr *addr, const struct in6_addr *mask, int invert, struct xt_xlate *xl) { + const char *op = invert ? "!= " : ""; char addr_str[INET6_ADDRSTRLEN]; + int cidr; - if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr)) + if (!invert && IN6_IS_ADDR_UNSPECIFIED(addr) && IN6_IS_ADDR_UNSPECIFIED(mask)) return; inet_ntop(AF_INET6, addr, addr_str, INET6_ADDRSTRLEN); - xt_xlate_add(xl, "%s %s%s%s ", selector, invert ? "!= " : "", addr_str, - xtables_ip6mask_to_numeric(mask)); + cidr = xtables_ip6mask_to_cidr(mask); + switch (cidr) { + case -1: + xt_xlate_add(xl, "%s & %s %s %s ", selector, + xtables_ip6addr_to_numeric(mask), + invert ? "!=" : "==", addr_str); + break; + case 128: + xt_xlate_add(xl, "%s %s%s ", selector, op, addr_str); + break; + default: + xt_xlate_add(xl, "%s %s%s/%d ", selector, op, addr_str, cidr); + } } static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl) |