extensions: libxt_tcp: rework translation to use flags match representation

Use the new flags match representation available since nftables 0.9.9
to simplify the translation.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libxt_TCPMSS.txlate b/extensions/libxt_TCPMSS.txlate
index 6a64d2ce9bfde9db27923133a6a894a44174f7e7..3dbbad66c5606f84abe9fd8f40c8dbcb142bde04 100644 (file)
--- a/extensions/libxt_TCPMSS.txlate
+++ b/extensions/libxt_TCPMSS.txlate
@@ -1,5 +1,5 @@
 iptables-translate -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-nft add rule ip filter FORWARD tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu
+nft add rule ip filter FORWARD tcp flags syn / syn,rst counter tcp option maxseg size set rt mtu
 
 iptables-translate -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 90
-nft add rule ip filter FORWARD tcp flags & (syn|rst) == syn counter tcp option maxseg size set 90
+nft add rule ip filter FORWARD tcp flags syn / syn,rst counter tcp option maxseg size set 90

diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
index 383e4db5b5e231dd53350203bca6fc25d9eeb17f..0b115cddf15d9814ccae61ff514c74978aa70324 100644 (file)
--- a/extensions/libxt_tcp.c
+++ b/extensions/libxt_tcp.c
@@ -381,7 +381,7 @@ static void print_tcp_xlate(struct xt_xlate *xl, uint8_t flags)
                for (i = 0; (flags & tcp_flag_names_xlate[i].flag) == 0; i++);
 
                if (have_flag)
-                       xt_xlate_add(xl, "|");
+                       xt_xlate_add(xl, ",");
 
                xt_xlate_add(xl, "%s", tcp_flag_names_xlate[i].name);
                have_flag = 1;
@@ -435,11 +435,11 @@ static int tcp_xlate(struct xt_xlate *xl,
                return 0;
 
        if (tcpinfo->flg_mask || (tcpinfo->invflags & XT_TCP_INV_FLAGS)) {
-               xt_xlate_add(xl, "%stcp flags & (", space);
-               print_tcp_xlate(xl, tcpinfo->flg_mask);
-               xt_xlate_add(xl, ") %s ",
-                          tcpinfo->invflags & XT_TCP_INV_FLAGS ? "!=": "==");
+               xt_xlate_add(xl, "%stcp flags %s", space,
+                            tcpinfo->invflags & XT_TCP_INV_FLAGS ? "!= ": "");
                print_tcp_xlate(xl, tcpinfo->flg_cmp);
+               xt_xlate_add(xl, " / ");
+               print_tcp_xlate(xl, tcpinfo->flg_mask);
        }
 
        return 1;

diff --git a/extensions/libxt_tcp.txlate b/extensions/libxt_tcp.txlate
index bba63324df2b6fe89fb15fc6fa0d9ca2812cc907..921d4af024d32e0c7df2e3daf6bd2fbec4681732 100644 (file)
--- a/extensions/libxt_tcp.txlate
+++ b/extensions/libxt_tcp.txlate
@@ -11,13 +11,13 @@ iptables-translate -I OUTPUT -p tcp --dport 1020:1023 --sport 53 -j ACCEPT
 nft insert rule ip filter OUTPUT tcp sport 53 tcp dport 1020-1023 counter accept
 
 iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
-nft add rule ip filter INPUT tcp flags & fin|ack == fin counter drop
+nft add rule ip filter INPUT tcp flags fin / fin,ack counter drop
 
 iptables-translate -A INPUT -p tcp --syn -j ACCEPT
-nft add rule ip filter INPUT tcp flags & (fin|syn|rst|ack) == syn counter accept
+nft add rule ip filter INPUT tcp flags syn / fin,syn,rst,ack counter accept
 
 iptables-translate -A INPUT -p tcp --syn --dport 80 -j ACCEPT
-nft add rule ip filter INPUT tcp dport 80 tcp flags & (fin|syn|rst|ack) == syn counter accept
+nft add rule ip filter INPUT tcp dport 80 tcp flags syn / fin,syn,rst,ack counter accept
 
 iptables-translate -A INPUT -f -p tcp
 nft add rule ip filter INPUT ip frag-off & 0x1fff != 0 ip protocol tcp counter