From 29387a190f5ba04fb8a902dce9602292979a9ba2 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Sat, 22 Oct 2022 15:26:56 +0200 Subject: nft: Recognize INVAL/D interface name It is just a hack to translate '! -i +' into a never matching nft rule, but recognize it anyway for completeness' sake and to make xlate replay test pass. Signed-off-by: Phil Sutter --- iptables/nft-shared.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'iptables') diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 2bb46709..56acbd45 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -359,6 +359,21 @@ static int parse_meta_pkttype(struct nft_xt_ctx *ctx, struct nftnl_expr *e) return 0; } +static void parse_invalid_iface(char *iface, unsigned char *mask, + uint8_t *invflags, uint8_t invbit) +{ + if (*invflags & invbit || strcmp(iface, "INVAL/D")) + return; + + /* nft's poor "! -o +" excuse */ + *invflags |= invbit; + iface[0] = '+'; + iface[1] = '\0'; + mask[0] = 0xff; + mask[1] = 0xff; + memset(mask + 2, 0, IFNAMSIZ - 2); +} + int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key, char *iniface, unsigned char *iniface_mask, char *outiface, unsigned char *outiface_mask, uint8_t *invflags) @@ -393,6 +408,8 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key, *invflags |= IPT_INV_VIA_IN; parse_ifname(ifname, len, iniface, iniface_mask); + parse_invalid_iface(iniface, iniface_mask, + invflags, IPT_INV_VIA_IN); break; case NFT_META_BRI_OIFNAME: case NFT_META_OIFNAME: @@ -401,6 +418,8 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key, *invflags |= IPT_INV_VIA_OUT; parse_ifname(ifname, len, outiface, outiface_mask); + parse_invalid_iface(outiface, outiface_mask, + invflags, IPT_INV_VIA_OUT); break; case NFT_META_MARK: parse_meta_mark(ctx, e); -- cgit v1.2.3