extensions: libxt_conntrack: simplify translation using negation

Available since nftables 0.9.9. For example:

 # iptables-translate -I INPUT -m state ! --state NEW,INVALID
 nft insert rule ip filter INPUT ct state ! invalid,new  counter

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 7f7b45ee1f822dc6a41a80626fc337f57794ee6b..64018ce152b7aa4120c19f014697e2935c8a1257 100644 (file)
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1151,40 +1151,30 @@ static void state_save(const void *ip, const struct xt_entry_match *match)
 static void state_xlate_print(struct xt_xlate *xl, unsigned int statemask, int inverted)
 {
        const char *sep = "";
-       int one_flag_set;
 
-       one_flag_set = !(statemask & (statemask - 1));
-
-       if (inverted && !one_flag_set)
-               xt_xlate_add(xl, "& (");
-       else if (inverted)
-               xt_xlate_add(xl, "& ");
+       if (inverted)
+               xt_xlate_add(xl, "! ");
 
        if (statemask & XT_CONNTRACK_STATE_INVALID) {
                xt_xlate_add(xl, "%s%s", sep, "invalid");
-               sep = inverted && !one_flag_set ? "|" : ",";
+               sep = ",";
        }
        if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_NEW)) {
                xt_xlate_add(xl, "%s%s", sep, "new");
-               sep = inverted && !one_flag_set ? "|" : ",";
+               sep = ",";
        }
        if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) {
                xt_xlate_add(xl, "%s%s", sep, "related");
-               sep = inverted && !one_flag_set ? "|" : ",";
+               sep = ",";
        }
        if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) {
                xt_xlate_add(xl, "%s%s", sep, "established");
-               sep = inverted && !one_flag_set ? "|" : ",";
+               sep = ",";
        }
        if (statemask & XT_CONNTRACK_STATE_UNTRACKED) {
                xt_xlate_add(xl, "%s%s", sep, "untracked");
-               sep = inverted && !one_flag_set ? "|" : ",";
+               sep = ",";
        }
-
-       if (inverted && !one_flag_set)
-               xt_xlate_add(xl, ") == 0");
-       else if (inverted)
-               xt_xlate_add(xl, " == 0");
 }
 
 static int state_xlate(struct xt_xlate *xl,
@@ -1203,36 +1193,26 @@ static int state_xlate(struct xt_xlate *xl,
 static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask, int inverted)
 {
        const char *sep = "";
-       int one_flag_set;
 
-       one_flag_set = !(statusmask & (statusmask - 1));
-
-       if (inverted && !one_flag_set)
-               xt_xlate_add(xl, "& (");
-       else if (inverted)
-               xt_xlate_add(xl, "& ");
+       if (inverted)
+               xt_xlate_add(xl, "! ");
 
        if (statusmask & IPS_EXPECTED) {
                xt_xlate_add(xl, "%s%s", sep, "expected");
-               sep = inverted && !one_flag_set ? "|" : ",";
+               sep = ",";
        }
        if (statusmask & IPS_SEEN_REPLY) {
                xt_xlate_add(xl, "%s%s", sep, "seen-reply");
-               sep = inverted && !one_flag_set ? "|" : ",";
+               sep = ",";
        }
        if (statusmask & IPS_ASSURED) {
                xt_xlate_add(xl, "%s%s", sep, "assured");
-               sep = inverted && !one_flag_set ? "|" : ",";
+               sep = ",";
        }
        if (statusmask & IPS_CONFIRMED) {
                xt_xlate_add(xl, "%s%s", sep, "confirmed");
-               sep = inverted && !one_flag_set ? "|" : ",";
+               sep = ",";
        }
-
-       if (inverted && !one_flag_set)
-               xt_xlate_add(xl, ") == 0");
-       else if (inverted)
-               xt_xlate_add(xl, " == 0");
 }
 
 static void addr_xlate_print(struct xt_xlate *xl,

diff --git a/extensions/libxt_conntrack.txlate b/extensions/libxt_conntrack.txlate
index 8cc7c504ab4b413837dcd42317e89da8a28bef79..45fba984ba9620ca707a8ec03e56b79a09f6b962 100644 (file)
--- a/extensions/libxt_conntrack.txlate
+++ b/extensions/libxt_conntrack.txlate
@@ -2,10 +2,10 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW,RELATED -j ACCE
 nft add rule ip filter INPUT ct state new,related counter accept
 
 ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW,RELATED -j ACCEPT
-nft add rule ip6 filter INPUT ct state & (new|related) == 0 counter accept
+nft add rule ip6 filter INPUT ct state ! new,related counter accept
 
 ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW -j ACCEPT
-nft add rule ip6 filter INPUT ct state & new == 0 counter accept
+nft add rule ip6 filter INPUT ct state ! new counter accept
 
 iptables-translate -t filter -A INPUT -m conntrack --ctproto UDP -j ACCEPT
 nft add rule ip filter INPUT ct original protocol 17 counter accept
@@ -35,10 +35,10 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstatus EXPECTED -j ACCEPT
 nft add rule ip filter INPUT ct status expected counter accept
 
 iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT
-nft add rule ip filter INPUT ct status & confirmed == 0 counter accept
+nft add rule ip filter INPUT ct status ! confirmed counter accept
 
 iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED,ASSURED -j ACCEPT
-nft add rule ip filter INPUT ct status & (assured|confirmed) == 0 counter accept
+nft add rule ip filter INPUT ct status ! assured,confirmed counter accept
 
 iptables-translate -t filter -A INPUT -m conntrack --ctstatus CONFIRMED,ASSURED -j ACCEPT
 nft add rule ip filter INPUT ct status assured,confirmed counter accept