From: Phil Sutter Date: Sat, 22 Oct 2022 13:26:56 +0000 (+0200) Subject: nft: Recognize INVAL/D interface name X-Git-Tag: v1.8.9~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=29387a190f5ba04fb8a902dce9602292979a9ba2;p=thirdparty%2Fiptables.git nft: Recognize INVAL/D interface name It is just a hack to translate '! -i +' into a never matching nft rule, but recognize it anyway for completeness' sake and to make xlate replay test pass. Signed-off-by: Phil Sutter --- diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 2bb46709..56acbd45 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -359,6 +359,21 @@ static int parse_meta_pkttype(struct nft_xt_ctx *ctx, struct nftnl_expr *e) return 0; } +static void parse_invalid_iface(char *iface, unsigned char *mask, + uint8_t *invflags, uint8_t invbit) +{ + if (*invflags & invbit || strcmp(iface, "INVAL/D")) + return; + + /* nft's poor "! -o +" excuse */ + *invflags |= invbit; + iface[0] = '+'; + iface[1] = '\0'; + mask[0] = 0xff; + mask[1] = 0xff; + memset(mask + 2, 0, IFNAMSIZ - 2); +} + int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key, char *iniface, unsigned char *iniface_mask, char *outiface, unsigned char *outiface_mask, uint8_t *invflags) @@ -393,6 +408,8 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key, *invflags |= IPT_INV_VIA_IN; parse_ifname(ifname, len, iniface, iniface_mask); + parse_invalid_iface(iniface, iniface_mask, + invflags, IPT_INV_VIA_IN); break; case NFT_META_BRI_OIFNAME: case NFT_META_OIFNAME: @@ -401,6 +418,8 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key, *invflags |= IPT_INV_VIA_OUT; parse_ifname(ifname, len, outiface, outiface_mask); + parse_invalid_iface(outiface, outiface_mask, + invflags, IPT_INV_VIA_OUT); break; case NFT_META_MARK: parse_meta_mark(ctx, e);