In legacy iptables, only the last plus sign remains special, any
previous ones are taken literally. Therefore xtables-translate must not
replace all of them with asterisk but just the last one.
Fixes: e179e87a1179e ("xtables-translate: Fix for interface name corner-cases")
Signed-off-by: Phil Sutter <phil@nwl.cc>
iptables-translate -A FORWARD -i '*' -o 'eth*foo'
nft add rule ip filter FORWARD iifname "\*" oifname "eth\*foo" counter
+# escape all asterisks but translate only the first plus character
+iptables-translate -A FORWARD -i 'eth*foo*+' -o 'eth++'
+nft add rule ip filter FORWARD iifname "eth\*foo\**" oifname "eth+*" counter
+
# skip for always matching interface names
iptables-translate -A FORWARD -i '+'
nft add rule ip filter FORWARD counter
for (i = 0, j = 0; i < ifaclen + 1; i++, j++) {
switch (ifname[i]) {
- case '+':
- iface[j] = '*';
- break;
case '*':
iface[j++] = '\\';
/* fall through */
invert = false;
}
+ if (iface[j - 2] == '+')
+ iface[j - 2] = '*';
+
xt_xlate_add(xl, "%s %s\"%s\" ", nftmeta, invert ? "!= " : "", iface);
}
projects / thirdparty / iptables.git / commitdiff
