nft: Leave interface masks alone when parsing from kernel

The mask is entirely unused by nft-variants in general and legacy ones
when printing. It is relevant only when inserting a legacy rule into
kernel as it doesn't detect the '+'-suffix.

Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/nft-ruleparse-arp.c b/iptables/nft-ruleparse-arp.c
index cd74747e918959e6ecad0b287eb5b14a5a438420..b0671cb0dfe8fa9ceb37195777ea76d3e1c95ad8 100644 (file)
--- a/iptables/nft-ruleparse-arp.c
+++ b/iptables/nft-ruleparse-arp.c
@@ -34,9 +34,8 @@ static void nft_arp_parse_meta(struct nft_xt_ctx *ctx,
        struct arpt_entry *fw = &cs->arp;
        uint8_t flags = 0;
 
-       if (parse_meta(ctx, e, reg->meta_dreg.key, fw->arp.iniface, fw->arp.iniface_mask,
-                  fw->arp.outiface, fw->arp.outiface_mask,
-                  &flags) == 0) {
+       if (parse_meta(ctx, e, reg->meta_dreg.key, fw->arp.iniface,
+                      fw->arp.outiface, &flags) == 0) {
                fw->arp.invflags |= flags;
                return;
        }

diff --git a/iptables/nft-ruleparse-bridge.c b/iptables/nft-ruleparse-bridge.c
index c6cc9af5ea198515ed3b9ac7510ebc73c7343f28..aee08b1396c1a31abd2a84e317eb16d2d3d17ccf 100644 (file)
--- a/iptables/nft-ruleparse-bridge.c
+++ b/iptables/nft-ruleparse-bridge.c
@@ -43,7 +43,8 @@ static void nft_bridge_parse_meta(struct nft_xt_ctx *ctx,
                return;
        }
 
-       if (parse_meta(ctx, e, reg->meta_dreg.key, iifname, NULL, oifname, NULL, &invflags) < 0) {
+       if (parse_meta(ctx, e, reg->meta_dreg.key,
+                      iifname, oifname, &invflags) < 0) {
                ctx->errmsg = "unknown meta key";
                return;
        }

diff --git a/iptables/nft-ruleparse-ipv4.c b/iptables/nft-ruleparse-ipv4.c
index 491cbf42c7754e00db4d6cf2aed214cae0aca720..fe65b33cf847b0c942b446b002eafc73b3ae6f98 100644 (file)
--- a/iptables/nft-ruleparse-ipv4.c
+++ b/iptables/nft-ruleparse-ipv4.c
@@ -41,9 +41,8 @@ static void nft_ipv4_parse_meta(struct nft_xt_ctx *ctx,
                break;
        }
 
-       if (parse_meta(ctx, e, reg->meta_dreg.key, cs->fw.ip.iniface, cs->fw.ip.iniface_mask,
-                  cs->fw.ip.outiface, cs->fw.ip.outiface_mask,
-                  &cs->fw.ip.invflags) == 0)
+       if (parse_meta(ctx, e, reg->meta_dreg.key, cs->fw.ip.iniface,
+                      cs->fw.ip.outiface, &cs->fw.ip.invflags) == 0)
                return;
 
        ctx->errmsg = "unknown ipv4 meta key";

diff --git a/iptables/nft-ruleparse-ipv6.c b/iptables/nft-ruleparse-ipv6.c
index 7581b8636e601f30d29a6bb35b94214421ecd49f..29b085802f76c391511c81984997020ca84d4768 100644 (file)
--- a/iptables/nft-ruleparse-ipv6.c
+++ b/iptables/nft-ruleparse-ipv6.c
@@ -42,8 +42,7 @@ static void nft_ipv6_parse_meta(struct nft_xt_ctx *ctx,
        }
 
        if (parse_meta(ctx, e, reg->meta_dreg.key, cs->fw6.ipv6.iniface,
-                  cs->fw6.ipv6.iniface_mask, cs->fw6.ipv6.outiface,
-                  cs->fw6.ipv6.outiface_mask, &cs->fw6.ipv6.invflags) == 0)
+                      cs->fw6.ipv6.outiface, &cs->fw6.ipv6.invflags) == 0)
                return;
 
        ctx->errmsg = "unknown ipv6 meta key";

diff --git a/iptables/nft-ruleparse.c b/iptables/nft-ruleparse.c
index c8322f936acd9e70642358abe440eaeb9cbbf79f..0bbdf44fafe03d7387a0ec9e6e3eef364e00d7d1 100644 (file)
--- a/iptables/nft-ruleparse.c
+++ b/iptables/nft-ruleparse.c
@@ -983,18 +983,14 @@ bool nft_rule_to_iptables_command_state(struct nft_handle *h,
        return ret;
 }
 
-static void parse_ifname(const char *name, unsigned int len,
-                        char *dst, unsigned char *mask)
+static void parse_ifname(const char *name, unsigned int len, char *dst)
 {
        if (len == 0)
                return;
 
        memcpy(dst, name, len);
-       if (name[len - 1] == '\0') {
-               if (mask)
-                       memset(mask, 0xff, strlen(name) + 1);
+       if (name[len - 1] == '\0')
                return;
-       }
 
        if (len >= IFNAMSIZ)
                return;
@@ -1004,12 +1000,9 @@ static void parse_ifname(const char *name, unsigned int len,
        if (len >= IFNAMSIZ)
                return;
        dst[len++] = 0;
-       if (mask)
-               memset(mask, 0xff, len - 2);
 }
 
-static void parse_invalid_iface(char *iface, unsigned char *mask,
-                               uint8_t *invflags, uint8_t invbit)
+static void parse_invalid_iface(char *iface, uint8_t *invflags, uint8_t invbit)
 {
        if (*invflags & invbit || strcmp(iface, "INVAL/D"))
                return;
@@ -1018,9 +1011,6 @@ static void parse_invalid_iface(char *iface, unsigned char *mask,
        *invflags |= invbit;
        iface[0] = '+';
        iface[1] = '\0';
-       mask[0] = 0xff;
-       mask[1] = 0xff;
-       memset(mask + 2, 0, IFNAMSIZ - 2);
 }
 
 static uint32_t get_meta_mask(struct nft_xt_ctx *ctx, enum nft_registers sreg)
@@ -1071,8 +1061,7 @@ static int parse_meta_pkttype(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
 }
 
 int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key,
-              char *iniface, unsigned char *iniface_mask,
-              char *outiface, unsigned char *outiface_mask, uint8_t *invflags)
+              char *iniface, char *outiface, uint8_t *invflags)
 {
        uint32_t value;
        const void *ifname;
@@ -1085,8 +1074,6 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key,
                        *invflags |= IPT_INV_VIA_IN;
 
                if_indextoname(value, iniface);
-
-               memset(iniface_mask, 0xff, strlen(iniface)+1);
                break;
        case NFT_META_OIF:
                value = nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_DATA);
@@ -1094,8 +1081,6 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key,
                        *invflags |= IPT_INV_VIA_OUT;
 
                if_indextoname(value, outiface);
-
-               memset(outiface_mask, 0xff, strlen(outiface)+1);
                break;
        case NFT_META_BRI_IIFNAME:
        case NFT_META_IIFNAME:
@@ -1103,9 +1088,8 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key,
                if (nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP) == NFT_CMP_NEQ)
                        *invflags |= IPT_INV_VIA_IN;
 
-               parse_ifname(ifname, len, iniface, iniface_mask);
-               parse_invalid_iface(iniface, iniface_mask,
-                                   invflags, IPT_INV_VIA_IN);
+               parse_ifname(ifname, len, iniface);
+               parse_invalid_iface(iniface, invflags, IPT_INV_VIA_IN);
                break;
        case NFT_META_BRI_OIFNAME:
        case NFT_META_OIFNAME:
@@ -1113,9 +1097,8 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key,
                if (nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP) == NFT_CMP_NEQ)
                        *invflags |= IPT_INV_VIA_OUT;
 
-               parse_ifname(ifname, len, outiface, outiface_mask);
-               parse_invalid_iface(outiface, outiface_mask,
-                                   invflags, IPT_INV_VIA_OUT);
+               parse_ifname(ifname, len, outiface);
+               parse_invalid_iface(outiface, invflags, IPT_INV_VIA_OUT);
                break;
        case NFT_META_MARK:
                parse_meta_mark(ctx, e);

diff --git a/iptables/nft-ruleparse.h b/iptables/nft-ruleparse.h
index 25ce05d2e864428d9d128691e181ff4228e81b8c..62c9160d7771151d8fb6525fd29253b797ba8ca2 100644 (file)
--- a/iptables/nft-ruleparse.h
+++ b/iptables/nft-ruleparse.h
@@ -128,8 +128,7 @@ bool nft_rule_to_iptables_command_state(struct nft_handle *h,
 #define max(x, y) ((x) > (y) ? (x) : (y))
 
 int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key,
-              char *iniface, unsigned char *iniface_mask, char *outiface,
-              unsigned char *outiface_mask, uint8_t *invflags);
+              char *iniface, char *outiface, uint8_t *invflags);
 
 int nft_parse_hl(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
                 struct iptables_command_state *cs);