nft: Fix match generator for '! -i +'

It's actually nonsense since it will never match, but iptables accepts
it and the resulting nftables rule must behave identically. Reuse the
solution implemented into xtables-translate (by commit e179e87a1179e)
and turn the above match into 'iifname INVAL/D'.

The commit this fixes merely ignored the fact that "any interface" match
might be inverted.

Fixes: 0a8635183edd0 ("xtables-compat: ignore '+' interface name")
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 03e13fdcb716ea047004bace3cd41f8882fd7c5f..2bb46709bd21d69a61d6d8b40d135d467a2c8633 100644 (file)
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -168,6 +168,9 @@ void add_iniface(struct nft_handle *h, struct nftnl_rule *r,
        if (iface[iface_len - 1] == '+') {
                if (iface_len > 1)
                        add_cmp_ptr(r, op, iface, iface_len - 1, reg);
+               else if (op != NFT_CMP_EQ)
+                       add_cmp_ptr(r, NFT_CMP_EQ, "INVAL/D",
+                                   strlen("INVAL/D") + 1, reg);
        } else {
                add_cmp_ptr(r, op, iface, iface_len + 1, reg);
        }
@@ -185,6 +188,9 @@ void add_outiface(struct nft_handle *h, struct nftnl_rule *r,
        if (iface[iface_len - 1] == '+') {
                if (iface_len > 1)
                        add_cmp_ptr(r, op, iface, iface_len - 1, reg);
+               else if (op != NFT_CMP_EQ)
+                       add_cmp_ptr(r, NFT_CMP_EQ, "INVAL/D",
+                                   strlen("INVAL/D") + 1, reg);
        } else {
                add_cmp_ptr(r, op, iface, iface_len + 1, reg);
        }