From: Phil Sutter <phil@nwl.cc>
Date: Thu, 1 Feb 2024 14:57:46 +0000 (+0100)
Subject: extensions: ipcomp: Save inverted full ranges
X-Git-Tag: v1.8.11~77
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9d400db20cf9f1c4a57c0791e563f22bafcd841a;p=thirdparty%2Fiptables.git

extensions: ipcomp: Save inverted full ranges

Fixes: 0bb8765cc28cf ("iptables: Add IPv4/6 IPcomp match support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---

diff --git a/extensions/libxt_ipcomp.c b/extensions/libxt_ipcomp.c
index 4171c4a1..961c17e5 100644
--- a/extensions/libxt_ipcomp.c
+++ b/extensions/libxt_ipcomp.c
@@ -76,11 +76,12 @@ static void comp_print(const void *ip, const struct xt_entry_match *match,
 static void comp_save(const void *ip, const struct xt_entry_match *match)
 {
 	const struct xt_ipcomp *compinfo = (struct xt_ipcomp *)match->data;
+	bool inv_spi = compinfo->invflags & XT_IPCOMP_INV_SPI;
 
 	if (!(compinfo->spis[0] == 0
-	    && compinfo->spis[1] == 0xFFFFFFFF)) {
-		printf("%s --ipcompspi ",
-			(compinfo->invflags & XT_IPCOMP_INV_SPI) ? " !" : "");
+	    && compinfo->spis[1] == UINT32_MAX
+	    && !inv_spi)) {
+		printf("%s --ipcompspi ", inv_spi ? " !" : "");
 		if (compinfo->spis[0]
 		    != compinfo->spis[1])
 			printf("%u:%u",
diff --git a/extensions/libxt_ipcomp.t b/extensions/libxt_ipcomp.t
index 375f885a..e25695c6 100644
--- a/extensions/libxt_ipcomp.t
+++ b/extensions/libxt_ipcomp.t
@@ -2,7 +2,7 @@
 -p ipcomp -m ipcomp --ipcompspi 18 -j DROP;=;OK
 -p ipcomp -m ipcomp ! --ipcompspi 18 -j ACCEPT;=;OK
 -p ipcomp -m ipcomp --ipcompspi :;-p ipcomp -m ipcomp;OK
--p ipcomp -m ipcomp ! --ipcompspi :;-p ipcomp -m ipcomp;OK
+-p ipcomp -m ipcomp ! --ipcompspi :;-p ipcomp -m ipcomp ! --ipcompspi 0:4294967295;OK
 -p ipcomp -m ipcomp --ipcompspi :4;-p ipcomp -m ipcomp --ipcompspi 0:4;OK
 -p ipcomp -m ipcomp --ipcompspi 4:;-p ipcomp -m ipcomp --ipcompspi 4:4294967295;OK
 -p ipcomp -m ipcomp --ipcompspi 3:4;=;OK