nft-compat: fix IP6T_F_GOTO flag handling

IPT_F_GOTO and IP6T_F_GOTO don't overlap, so this need special handling
to avoid misinterpretations.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 02645a29c80afd81d4e591d762999a9ba67c4296..d05e80eb105c7bc17c25c592e296fadfa6f24c04 100644 (file)
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -76,7 +76,7 @@ static int nft_ipv4_add(struct nft_rule *r, void *data)
        if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0)
                return -1;
 
-       return add_action(r, cs, cs->fw.ip.flags);
+       return add_action(r, cs, !!(cs->fw.ip.flags & IPT_F_GOTO));
 }
 
 static bool nft_ipv4_is_same(const void *data_a,
@@ -331,6 +331,12 @@ static void nft_ipv4_save_firewall(const void *data, unsigned int format)
 
        save_matches_and_target(cs->matches, cs->target,
                                cs->jumpto, cs->fw.ip.flags, &cs->fw);
+
+       if (cs->target == NULL && strlen(cs->jumpto) > 0) {
+               printf("-%c %s", cs->fw.ip.flags & IPT_F_GOTO ? 'g' : 'j',
+                      cs->jumpto);
+       }
+       printf("\n");
 }
 
 static void nft_ipv4_proto_parse(struct iptables_command_state *cs,

diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 7c8b43fc42dbb103ffb11f22503b220e35403e3c..f08598ae4b7acb95920c7776801d0247630f6765 100644 (file)
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -59,7 +59,7 @@ static int nft_ipv6_add(struct nft_rule *r, void *data)
        if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0)
                return -1;
 
-       return add_action(r, cs, cs->fw6.ipv6.flags);
+       return add_action(r, cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO));
 }
 
 static bool nft_ipv6_is_same(const void *data_a,
@@ -138,7 +138,7 @@ static void nft_ipv6_parse_immediate(const char *jumpto, bool nft_goto,
        cs->jumpto = jumpto;
 
        if (nft_goto)
-               cs->fw6.ipv6.flags |= IPT_F_GOTO;
+               cs->fw6.ipv6.flags |= IP6T_F_GOTO;
 }
 
 static void print_ipv6_addr(const struct iptables_command_state *cs,
@@ -195,10 +195,8 @@ static void nft_ipv6_print_firewall(struct nft_rule *r, unsigned int num,
        if (format & FMT_NOTABLE)
                fputs("  ", stdout);
 
-#ifdef IPT_F_GOTO
-       if (cs.fw6.ipv6.flags & IPT_F_GOTO)
+       if (cs.fw6.ipv6.flags & IP6T_F_GOTO)
                printf("[goto] ");
-#endif
 
        print_matches_and_target(&cs, format);
 
@@ -234,6 +232,12 @@ static void nft_ipv6_save_firewall(const void *data, unsigned int format)
 
        save_matches_and_target(cs->matches, cs->target,
                                cs->jumpto, cs->fw6.ipv6.flags, &cs->fw6);
+
+       if (cs->target == NULL && strlen(cs->jumpto) > 0) {
+               printf("-%c %s", cs->fw6.ipv6.flags & IP6T_F_GOTO ? 'g' : 'j',
+                      cs->jumpto);
+       }
+       printf("\n");
 }
 
 /* These are invalid numbers as upper layer protocol */

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index dce8a34a295b890b8ff57e37c4f477fa48ecf666..ada71e6b4073fd00db7dab21a487172b9d57a5a3 100644 (file)
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -648,10 +648,7 @@ void save_matches_and_target(struct xtables_rule_match *m,
 
                if (target->save != NULL)
                        target->save(fw, target->t);
-       } else if (strlen(jumpto) > 0)
-               printf("-%c %s", flags & IPT_F_GOTO ? 'g' : 'j', jumpto);
-
-       printf("\n");
+       }
 }
 
 void print_matches_and_target(struct iptables_command_state *cs,

diff --git a/iptables/nft.c b/iptables/nft.c
index 515d124a5c2e1491d9af39d3299f3b0aaa003b41..a45d599bc4a620f171b568ff8882d81a692d7c1a 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -864,7 +864,7 @@ int add_verdict(struct nft_rule *r, int verdict)
 }
 
 int add_action(struct nft_rule *r, struct iptables_command_state *cs,
-             int ip_flags)
+              bool goto_set)
 {
        int ret = 0;
 
@@ -881,7 +881,7 @@ int add_action(struct nft_rule *r, struct iptables_command_state *cs,
                       ret = add_target(r, cs->target->t);
        } else if (strlen(cs->jumpto) > 0) {
               /* Not standard, then it's a go / jump to chain */
-              if (ip_flags & IPT_F_GOTO)
+              if (goto_set)
                       ret = add_jumpto(r, cs->jumpto, NFT_GOTO);
               else
                       ret = add_jumpto(r, cs->jumpto, NFT_JUMP);

diff --git a/iptables/nft.h b/iptables/nft.h
index 8670f343bdfb102eaac4f36b2d564f5061a198e0..92488764196c4518ad5f8d33aa0a5f106c32913b 100644 (file)
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -107,7 +107,7 @@ int add_verdict(struct nft_rule *r, int verdict);
 int add_match(struct nft_rule *r, struct xt_entry_match *m);
 int add_target(struct nft_rule *r, struct xt_entry_target *t);
 int add_jumpto(struct nft_rule *r, const char *name, int verdict);
-int add_action(struct nft_rule *r, struct iptables_command_state *cs, int ip_flags);
+int add_action(struct nft_rule *r, struct iptables_command_state *cs, bool goto_set);
 
 enum nft_rule_print {
        NFT_RULE_APPEND,