From 18e334da7363ba186edb1700056e26ded27ca5ba Mon Sep 17 00:00:00 2001 From: Alexander Mikhalitsyn Date: Thu, 1 Apr 2021 16:47:07 +0300 Subject: extensions: libxt_conntrack: use bitops for state negation Currently, state_xlate_print function prints statemask as comma-separated sequence of enabled statemask flags. But if we have inverted conntrack ctstate condition then we have to use more complex expression because nft not supports syntax like "ct state != related,established". Reproducer: $ iptables -A INPUT -d 127.0.0.1/32 -p tcp -m conntrack ! --ctstate RELATED,ESTABLISHED -j DROP $ nft list ruleset ... meta l4proto tcp ip daddr 127.0.0.1 ct state != related,established counter packets 0 bytes 0 drop ... it will fail if we try to load this rule: $ nft -f nft_test ../nft_test:6:97-97: Error: syntax error, unexpected comma, expecting newline or semicolon Cc: Florian Westphal Signed-off-by: Alexander Mikhalitsyn Signed-off-by: Florian Westphal --- extensions/libxt_conntrack.txlate | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'extensions/libxt_conntrack.txlate') diff --git a/extensions/libxt_conntrack.txlate b/extensions/libxt_conntrack.txlate index d374f8a0..5ab85b17 100644 --- a/extensions/libxt_conntrack.txlate +++ b/extensions/libxt_conntrack.txlate @@ -2,7 +2,10 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW,RELATED -j ACCE nft add rule ip filter INPUT ct state new,related counter accept ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW,RELATED -j ACCEPT -nft add rule ip6 filter INPUT ct state != new,related counter accept +nft add rule ip6 filter INPUT ct state & (new|related) == 0 counter accept + +ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW -j ACCEPT +nft add rule ip6 filter INPUT ct state & new == 0 counter accept iptables-translate -t filter -A INPUT -m conntrack --ctproto UDP -j ACCEPT nft add rule ip filter INPUT ct original protocol 17 counter accept -- cgit v1.2.3