extensions: ipcomp: Save inverted full ranges

Fixes: 0bb8765cc28cf ("iptables: Add IPv4/6 IPcomp match support")
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/extensions/libxt_ipcomp.c b/extensions/libxt_ipcomp.c
index 4171c4a1c4eb74b8a387c2452ab6a851159d7df3..961c17e584933cae71785e5c90b8a0f7a21dfe40 100644 (file)
--- a/extensions/libxt_ipcomp.c
+++ b/extensions/libxt_ipcomp.c
@@ -76,11 +76,12 @@ static void comp_print(const void *ip, const struct xt_entry_match *match,
 static void comp_save(const void *ip, const struct xt_entry_match *match)
 {
        const struct xt_ipcomp *compinfo = (struct xt_ipcomp *)match->data;
+       bool inv_spi = compinfo->invflags & XT_IPCOMP_INV_SPI;
 
        if (!(compinfo->spis[0] == 0
-           && compinfo->spis[1] == 0xFFFFFFFF)) {
-               printf("%s --ipcompspi ",
-                       (compinfo->invflags & XT_IPCOMP_INV_SPI) ? " !" : "");
+           && compinfo->spis[1] == UINT32_MAX
+           && !inv_spi)) {
+               printf("%s --ipcompspi ", inv_spi ? " !" : "");
                if (compinfo->spis[0]
                    != compinfo->spis[1])
                        printf("%u:%u",

diff --git a/extensions/libxt_ipcomp.t b/extensions/libxt_ipcomp.t
index 375f885a708d985eb4b7195758fc8f638bab2dea..e25695c6912be72d57972c76da9f6d196a45cc99 100644 (file)
--- a/extensions/libxt_ipcomp.t
+++ b/extensions/libxt_ipcomp.t
@@ -2,7 +2,7 @@
 -p ipcomp -m ipcomp --ipcompspi 18 -j DROP;=;OK
 -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT;=;OK
 -p ipcomp -m ipcomp --ipcompspi :;-p ipcomp -m ipcomp;OK
--p ipcomp -m ipcomp ! --ipcompspi :;-p ipcomp -m ipcomp;OK
+-p ipcomp -m ipcomp ! --ipcompspi :;-p ipcomp -m ipcomp ! --ipcompspi 0:4294967295;OK
 -p ipcomp -m ipcomp --ipcompspi :4;-p ipcomp -m ipcomp --ipcompspi 0:4;OK
 -p ipcomp -m ipcomp --ipcompspi 4:;-p ipcomp -m ipcomp --ipcompspi 4:4294967295;OK
 -p ipcomp -m ipcomp --ipcompspi 3:4;=;OK