]> git.ipfire.org Git - thirdparty/iptables.git/commitdiff
projects / thirdparty / iptables.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5baa427)
nft: Recognize INVAL/D interface name
authorPhil Sutter <phil@nwl.cc>
Sat, 22 Oct 2022 13:26:56 +0000 (15:26 +0200)
committerPhil Sutter <phil@nwl.cc>
Fri, 2 Dec 2022 00:47:32 +0000 (01:47 +0100)
It is just a hack to translate '! -i +' into a never matching nft rule,
but recognize it anyway for completeness' sake and to make xlate replay
test pass.

Signed-off-by: Phil Sutter <phil@nwl.cc>
iptables/nft-shared.c patch | blob | blame | history

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 2bb46709bd21d69a61d6d8b40d135d467a2c8633..56acbd4555f4bbfa8de5830c6bc2a45d0c1bb3c0 100644 (file)
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -359,6 +359,21 @@ static int parse_meta_pkttype(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
        return 0;
 }
 
+static void parse_invalid_iface(char *iface, unsigned char *mask,
+                               uint8_t *invflags, uint8_t invbit)
+{
+       if (*invflags & invbit || strcmp(iface, "INVAL/D"))
+               return;
+
+       /* nft's poor "! -o +" excuse */
+       *invflags |= invbit;
+       iface[0] = '+';
+       iface[1] = '\0';
+       mask[0] = 0xff;
+       mask[1] = 0xff;
+       memset(mask + 2, 0, IFNAMSIZ - 2);
+}
+
 int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key,
               char *iniface, unsigned char *iniface_mask,
               char *outiface, unsigned char *outiface_mask, uint8_t *invflags)
@@ -393,6 +408,8 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key,
                        *invflags |= IPT_INV_VIA_IN;
 
                parse_ifname(ifname, len, iniface, iniface_mask);
+               parse_invalid_iface(iniface, iniface_mask,
+                                   invflags, IPT_INV_VIA_IN);
                break;
        case NFT_META_BRI_OIFNAME:
        case NFT_META_OIFNAME:
@@ -401,6 +418,8 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key,
                        *invflags |= IPT_INV_VIA_OUT;
 
                parse_ifname(ifname, len, outiface, outiface_mask);
+               parse_invalid_iface(outiface, outiface_mask,
+                                   invflags, IPT_INV_VIA_OUT);
                break;
        case NFT_META_MARK:
                parse_meta_mark(ctx, e);
Mirror of git://git.netfilter.org/iptables