From 129ed57b8e050e8e57deeefc2ed36ec979265d8a Mon Sep 17 00:00:00 2001 From: Liping Zhang Date: Fri, 7 Oct 2016 19:08:51 +0800 Subject: extensions: libxt_iprange: handle the invert flag properly in translation If we specify the invert flag, we should put "!=" after "ip saddr/daddr", so the current translation is wrong: # iptables-translate -A OUTPUT -m iprange ! --dst-range 1.1.1.1-1.1.1.2 nft add rule ip filter OUTPUT != ip daddr 1.1.1.1-1.1.1.2 counter # ip6tables-translate -A OUTPUT -m iprange ! --src-range 2003::1-2003::3 nft add rule ip6 filter OUTPUT != ip6 saddr 2003::1-2003::3 counter Apply this patch: # iptables-translate -A OUTPUT -m iprange ! --dst-range 1.1.1.1-1.1.1.2 nft add rule ip filter OUTPUT ip daddr != 1.1.1.1-1.1.1.2 counter # ip6tables-translate -A OUTPUT -m iprange ! --src-range 2003::1-2003::3 nft add rule ip6 filter OUTPUT ip6 saddr != 2003::1-2003::3 counter Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso --- extensions/libxt_iprange.c | 52 ++++++++++++++++++---------------------------- 1 file changed, 20 insertions(+), 32 deletions(-) (limited to 'extensions/libxt_iprange.c') diff --git a/extensions/libxt_iprange.c b/extensions/libxt_iprange.c index a76f1e92..8be24814 100644 --- a/extensions/libxt_iprange.c +++ b/extensions/libxt_iprange.c @@ -322,18 +322,14 @@ static int iprange_xlate(struct xt_xlate *xl, char *space = ""; if (info->flags & IPRANGE_SRC) { - if (info->flags & IPRANGE_SRC_INV) - xt_xlate_add(xl, "!= "); - xt_xlate_add(xl, "ip saddr"); + xt_xlate_add(xl, "ip saddr%s", + info->flags & IPRANGE_SRC_INV ? " !=" : ""); print_iprange_xlate(&info->src, xl); space = " "; } if (info->flags & IPRANGE_DST) { - if (info->flags & IPRANGE_DST_INV) { - xt_xlate_add(xl, "%s!= ", space); - space = ""; - } - xt_xlate_add(xl, "%sip daddr", space); + xt_xlate_add(xl, "%sip daddr%s", space, + info->flags & IPRANGE_DST_INV ? " !=" : ""); print_iprange_xlate(&info->dst, xl); } @@ -348,23 +344,19 @@ static int iprange_mt4_xlate(struct xt_xlate *xl, char *space = ""; if (info->flags & IPRANGE_SRC) { - if (info->flags & IPRANGE_SRC_INV) - xt_xlate_add(xl, "!= "); - xt_xlate_add(xl, "ip saddr %s", - xtables_ipaddr_to_numeric(&info->src_min.in)); + xt_xlate_add(xl, "ip saddr%s %s", + info->flags & IPRANGE_SRC_INV ? " !=" : "", + xtables_ipaddr_to_numeric(&info->src_min.in)); xt_xlate_add(xl, "-%s", - xtables_ipaddr_to_numeric(&info->src_max.in)); + xtables_ipaddr_to_numeric(&info->src_max.in)); space = " "; } if (info->flags & IPRANGE_DST) { - if (info->flags & IPRANGE_DST_INV) { - xt_xlate_add(xl, "%s!= ", space); - space = ""; - } - xt_xlate_add(xl, "%sip daddr %s", space, - xtables_ipaddr_to_numeric(&info->dst_min.in)); + xt_xlate_add(xl, "%sip daddr%s %s", space, + info->flags & IPRANGE_DST_INV ? " !=" : "", + xtables_ipaddr_to_numeric(&info->dst_min.in)); xt_xlate_add(xl, "-%s", - xtables_ipaddr_to_numeric(&info->dst_max.in)); + xtables_ipaddr_to_numeric(&info->dst_max.in)); } return 1; @@ -378,23 +370,19 @@ static int iprange_mt6_xlate(struct xt_xlate *xl, char *space = ""; if (info->flags & IPRANGE_SRC) { - if (info->flags & IPRANGE_SRC_INV) - xt_xlate_add(xl, "!= "); - xt_xlate_add(xl, "ip6 saddr %s", - xtables_ip6addr_to_numeric(&info->src_min.in6)); + xt_xlate_add(xl, "ip6 saddr%s %s", + info->flags & IPRANGE_SRC_INV ? " !=" : "", + xtables_ip6addr_to_numeric(&info->src_min.in6)); xt_xlate_add(xl, "-%s", - xtables_ip6addr_to_numeric(&info->src_max.in6)); + xtables_ip6addr_to_numeric(&info->src_max.in6)); space = " "; } if (info->flags & IPRANGE_DST) { - if (info->flags & IPRANGE_DST_INV) { - xt_xlate_add(xl, "%s!= ", space); - space = ""; - } - xt_xlate_add(xl, "%sip6 daddr %s", space, - xtables_ip6addr_to_numeric(&info->dst_min.in6)); + xt_xlate_add(xl, "%sip6 daddr%s %s", space, + info->flags & IPRANGE_DST_INV ? " !=" : "", + xtables_ip6addr_to_numeric(&info->dst_min.in6)); xt_xlate_add(xl, "-%s", - xtables_ip6addr_to_numeric(&info->dst_max.in6)); + xtables_ip6addr_to_numeric(&info->dst_max.in6)); } return 1; -- cgit v1.2.3