}
}
+static bool skip_spi_match(uint32_t min, uint32_t max, bool inv)
+{
+ return min == 0 && max == UINT32_MAX && !inv;
+}
+
static void
print_spis(const char *name, uint32_t min, uint32_t max,
int invert)
{
const char *inv = invert ? "!" : "";
- if (min != 0 || max != 0xFFFFFFFF || invert) {
+ if (!skip_spi_match(min, max, invert)) {
if (min == max)
printf("%s:%s%u", name, inv, min);
else
static void ah_save(const void *ip, const struct xt_entry_match *match)
{
const struct ip6t_ah *ahinfo = (struct ip6t_ah *)match->data;
+ bool inv_spi = ahinfo->invflags & IP6T_AH_INV_SPI;
- if (!(ahinfo->spis[0] == 0
- && ahinfo->spis[1] == 0xFFFFFFFF)) {
- printf("%s --ahspi ",
- (ahinfo->invflags & IP6T_AH_INV_SPI) ? " !" : "");
+ if (!skip_spi_match(ahinfo->spis[0], ahinfo->spis[1], inv_spi)) {
+ printf("%s --ahspi ", inv_spi ? " !" : "");
if (ahinfo->spis[0]
!= ahinfo->spis[1])
printf("%u:%u",
const struct xt_xlate_mt_params *params)
{
const struct ip6t_ah *ahinfo = (struct ip6t_ah *)params->match->data;
+ bool inv_spi = ahinfo->invflags & IP6T_AH_INV_SPI;
char *space = "";
- if (!(ahinfo->spis[0] == 0 && ahinfo->spis[1] == 0xFFFFFFFF)) {
- xt_xlate_add(xl, "ah spi%s ",
- (ahinfo->invflags & IP6T_AH_INV_SPI) ? " !=" : "");
+ if (!skip_spi_match(ahinfo->spis[0], ahinfo->spis[1], inv_spi)) {
+ xt_xlate_add(xl, "ah spi%s ", inv_spi ? " !=" : "");
if (ahinfo->spis[0] != ahinfo->spis[1])
xt_xlate_add(xl, "%u-%u", ahinfo->spis[0],
ahinfo->spis[1]);
}
if (!space[0]) /* plain '-m ah' */
- xt_xlate_add(xl, "meta l4proto ah");
+ xt_xlate_add(xl, "exthdr ah exists");
return 1;
}
-m ah --ahspi;;FAIL
-m ah;=;OK
-m ah --ahspi :;-m ah;OK
--m ah ! --ahspi :;-m ah;OK
+-m ah ! --ahspi :;-m ah ! --ahspi 0:4294967295;OK
-m ah --ahspi :3;-m ah --ahspi 0:3;OK
-m ah --ahspi 3:;-m ah --ahspi 3:4294967295;OK
-m ah --ahspi 3:3;-m ah --ahspi 3;OK
nft 'add rule ip6 filter INPUT ah spi 500 ah hdrlength 120 ah reserved 1 counter accept'
ip6tables-translate -A INPUT -m ah --ahspi 0:4294967295
-nft 'add rule ip6 filter INPUT meta l4proto ah counter'
+nft 'add rule ip6 filter INPUT exthdr ah exists counter'
ip6tables-translate -A INPUT -m ah ! --ahspi 0:4294967295
-nft 'add rule ip6 filter INPUT meta l4proto ah counter'
+nft 'add rule ip6 filter INPUT ah spi != 0-4294967295 counter'
ahinfo->invflags |= IPT_AH_INV_SPI;
}
+static bool skip_spi_match(uint32_t min, uint32_t max, bool inv)
+{
+ return min == 0 && max == UINT32_MAX && !inv;
+}
+
static void
print_spis(const char *name, uint32_t min, uint32_t max,
int invert)
{
const char *inv = invert ? "!" : "";
- if (min != 0 || max != 0xFFFFFFFF || invert) {
+ if (!skip_spi_match(min, max, invert)) {
printf("%s", name);
if (min == max) {
printf(":%s", inv);
static void ah_save(const void *ip, const struct xt_entry_match *match)
{
const struct ipt_ah *ahinfo = (struct ipt_ah *)match->data;
+ bool inv_spi = ahinfo->invflags & IPT_AH_INV_SPI;
- if (!(ahinfo->spis[0] == 0
- && ahinfo->spis[1] == 0xFFFFFFFF)) {
- printf("%s --ahspi ",
- (ahinfo->invflags & IPT_AH_INV_SPI) ? " !" : "");
+ if (!skip_spi_match(ahinfo->spis[0], ahinfo->spis[1], inv_spi)) {
+ printf("%s --ahspi ", inv_spi ? " !" : "");
if (ahinfo->spis[0]
!= ahinfo->spis[1])
printf("%u:%u",
const struct xt_xlate_mt_params *params)
{
const struct ipt_ah *ahinfo = (struct ipt_ah *)params->match->data;
+ bool inv_spi = ahinfo->invflags & IPT_AH_INV_SPI;
- if (!(ahinfo->spis[0] == 0 && ahinfo->spis[1] == 0xFFFFFFFF)) {
- xt_xlate_add(xl, "ah spi%s ",
- (ahinfo->invflags & IPT_AH_INV_SPI) ? " !=" : "");
+ if (!skip_spi_match(ahinfo->spis[0], ahinfo->spis[1], inv_spi)) {
+ xt_xlate_add(xl, "ah spi%s ", inv_spi ? " !=" : "");
if (ahinfo->spis[0] != ahinfo->spis[1])
xt_xlate_add(xl, "%u-%u", ahinfo->spis[0],
ahinfo->spis[1]);
else
xt_xlate_add(xl, "%u", ahinfo->spis[0]);
+ } else {
+ xt_xlate_add(xl, "meta l4proto ah");
}
return 1;
-m ah;;FAIL
-p ah -m ah;=;OK
-p ah -m ah --ahspi :;-p ah -m ah;OK
--p ah -m ah ! --ahspi :;-p ah -m ah;OK
+-p ah -m ah ! --ahspi :;-p ah -m ah ! --ahspi 0:4294967295;OK
-p ah -m ah --ahspi :3;-p ah -m ah --ahspi 0:3;OK
-p ah -m ah --ahspi 3:;-p ah -m ah --ahspi 3:4294967295;OK
-p ah -m ah --ahspi 3:3;-p ah -m ah --ahspi 3;OK
nft 'add rule ip filter INPUT ah spi != 50 counter drop'
iptables-translate -A INPUT -p 51 -m ah --ahspi 0:4294967295 -j DROP
-nft 'add rule ip filter INPUT counter drop'
+nft 'add rule ip filter INPUT meta l4proto ah counter drop'
iptables-translate -A INPUT -p 51 -m ah ! --ahspi 0:4294967295 -j DROP
-nft 'add rule ip filter INPUT counter drop'
+nft 'add rule ip filter INPUT ah spi != 0-4294967295 counter drop'
projects / thirdparty / iptables.git / commitdiff
