xtables-translate: fix issue with quotes

Some translations included escaped quotes when they were called from
nft:

$ sudo nft list ruleset
table ip mangle {
    chain FORWARD {
        type filter hook forward priority -150; policy accept;
        ct helper \"ftp\" counter packets 0 bytes 0
                  ^^   ^^
    }
}

This behavior is only correct when xlate functions are called from a
xtables-translate command. This patch solves that issue using a new
parameter (escape_quotes) in the xlate functions.

Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c
index cf5f8df55521f62784cd34bade06dcbacd67b619..af77b9a5b2190721b2ecb7827df64a16eb55f4fc 100644 (file)
--- a/extensions/libip6t_LOG.c
+++ b/extensions/libip6t_LOG.c
@@ -190,8 +190,12 @@ static int LOG_xlate(struct xt_xlate *xl,
        unsigned int i = 0;
 
        xt_xlate_add(xl, "log ");
-       if (strcmp(loginfo->prefix, "") != 0)
-               xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix);
+       if (strcmp(loginfo->prefix, "") != 0) {
+               if (params->escape_quotes)
+                       xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix);
+               else
+                       xt_xlate_add(xl, "prefix \"%s\" ", loginfo->prefix);
+       }
 
        for (i = 0; i < ARRAY_SIZE(ip6t_log_xlate_names); ++i)
                if (loginfo->level == ip6t_log_xlate_names[i].level &&

diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c
index 996dfb60dd44c55e035db2ffe8fe3afcefafde09..2784d9bc527c9cb2dd720ca546e1e591660d1106 100644 (file)
--- a/extensions/libipt_LOG.c
+++ b/extensions/libipt_LOG.c
@@ -190,8 +190,12 @@ static int LOG_xlate(struct xt_xlate *xl,
        unsigned int i = 0;
 
        xt_xlate_add(xl, "log ");
-       if (strcmp(loginfo->prefix, "") != 0)
-               xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix);
+       if (strcmp(loginfo->prefix, "") != 0) {
+               if (params->escape_quotes)
+                       xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix);
+               else
+                       xt_xlate_add(xl, "prefix \"%s\" ", loginfo->prefix);
+       }
 
        for (i = 0; i < ARRAY_SIZE(ipt_log_xlate_names); ++i)
                if (loginfo->level != LOG_DEFAULT_LEVEL &&

diff --git a/extensions/libxt_NFLOG.c b/extensions/libxt_NFLOG.c
index e6d627af6a2647ad37aa10ffc663f96d5ab8aea7..02a1b4aa35a3be0381cb37f36f71e603a4b806bd 100644 (file)
--- a/extensions/libxt_NFLOG.c
+++ b/extensions/libxt_NFLOG.c
@@ -107,11 +107,16 @@ static void NFLOG_save(const void *ip, const struct xt_entry_target *target)
 }
 
 static void nflog_print_xlate(const struct xt_nflog_info *info,
-                             struct xt_xlate *xl)
+                             struct xt_xlate *xl, bool escape_quotes)
 {
        xt_xlate_add(xl, "log ");
-       if (info->prefix[0] != '\0')
-               xt_xlate_add(xl, "prefix \\\"%s\\\" ", info->prefix);
+       if (info->prefix[0] != '\0') {
+               if (escape_quotes)
+                       xt_xlate_add(xl, "prefix \\\"%s\\\" ", info->prefix);
+               else
+                       xt_xlate_add(xl, "prefix \"%s\" ", info->prefix);
+
+       }
        if (info->flags & XT_NFLOG_F_COPY_LEN)
                xt_xlate_add(xl, "snaplen %u ", info->len);
        if (info->threshold != XT_NFLOG_DEFAULT_THRESHOLD)
@@ -125,7 +130,7 @@ static int NFLOG_xlate(struct xt_xlate *xl,
        const struct xt_nflog_info *info =
                (struct xt_nflog_info *)params->target->data;
 
-       nflog_print_xlate(info, xl);
+       nflog_print_xlate(info, xl, params->escape_quotes);
 
        return 1;
 }

diff --git a/extensions/libxt_helper.c b/extensions/libxt_helper.c
index 6860127b83ed9cb0fb2bbad6ee044e767379f990..2afbf996a69977618754f323993c68305b441cf8 100644 (file)
--- a/extensions/libxt_helper.c
+++ b/extensions/libxt_helper.c
@@ -50,8 +50,12 @@ static int helper_xlate(struct xt_xlate *xl,
 {
        const struct xt_helper_info *info = (const void *)params->match->data;
 
-       xt_xlate_add(xl, "ct helper%s \\\"%s\\\"",
-                  info->invert ? " !=" : "", info->name);
+       if (params->escape_quotes)
+               xt_xlate_add(xl, "ct helper%s \\\"%s\\\"",
+                          info->invert ? " !=" : "", info->name);
+       else
+               xt_xlate_add(xl, "ct helper%s \"%s\"",
+                          info->invert ? " !=" : "", info->name);
 
        return 1;
 }

diff --git a/include/xtables.h b/include/xtables.h
index 73ab8256043ff73b61d77d332979171efdd78cd1..e9bc3b7d44a6801ec728f41cbc526dc926c97c60 100644 (file)
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -211,12 +211,14 @@ struct xt_xlate_mt_params {
        const void                      *ip;
        const struct xt_entry_match     *match;
        int                             numeric;
+       bool                            escape_quotes;
 };
 
 struct xt_xlate_tg_params {
        const void                      *ip;
        const struct xt_entry_target    *target;
        int                             numeric;
+       bool                            escape_quotes;
 };
 
 /* Include file for additions: new matches and targets. */

diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 678228b2f8b48a0bd9ebc0efab107b9689c9b36b..9044d27ca6b86e4fb1eb53f6140e83ed8d168fff 100644 (file)
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -53,6 +53,7 @@ int xlate_action(const struct iptables_command_state *cs, bool goto_set,
                                .ip             = (const void *)&cs->fw,
                                .target         = cs->target->t,
                                .numeric        = numeric,
+                               .escape_quotes  = true,
                        };
                        ret = cs->target->xlate(xl, &params);
                }
@@ -79,6 +80,7 @@ int xlate_matches(const struct iptables_command_state *cs, struct xt_xlate *xl)
                        .ip             = (const void *)&cs->fw,
                        .match          = matchp->match->m,
                        .numeric        = numeric,
+                       .escape_quotes  = true,
                };
 
                if (!matchp->match->xlate)