iptables: print negation extrapositioned

This patch combines the two referenced ones by Peter. I did a quick
extra audit to spot and fix the missing ip6tables parts. (People like
to forget ip6tables it seems.) Extension modules were, to the best of
my knowledge, already audited in v1.4.3-rc1-10-gcea9f71.

Reported-by: Yar Odin <yarodin@gmail.com>
References: http://bugs.gentoo.org/264089
Reported-by: Peter Volkov <pva@gentoo.org>
References: http://marc.info/?l=netfilter-devel&m=123883867907935&w=2
References: http://marc.info/?l=netfilter-devel&m=123883992508943&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

diff --git a/ip6tables.c b/ip6tables.c
index 54366b052c22afe9265a5a1ff1040d4bf76c0837..35067f8ba8158f441f88572155bb571e87283cd3 100644 (file)
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -1006,7 +1006,7 @@ print_iface(char letter, const char *iface, const unsigned char *mask,
        if (mask[0] == 0)
                return;
 
-       printf("-%c %s", letter, invert ? "! " : "");
+       printf("%s-%c ", invert ? "! " : "", letter);
 
        for (i = 0; i < IFNAMSIZ; i++) {
                if (mask[i] != 0) {
@@ -1033,19 +1033,19 @@ static void print_proto(u_int16_t proto, int invert)
 
                struct protoent *pent = getprotobynumber(proto);
                if (pent) {
-                       printf("-p %s%s ",
+                       printf("%s-p %s ",
                               invertstr, pent->p_name);
                        return;
                }
 
                for (i = 0; xtables_chain_protos[i].name != NULL; ++i)
                        if (xtables_chain_protos[i].num == proto) {
-                               printf("-p %s%s ",
+                               printf("%s-p %s ",
                                       invertstr, xtables_chain_protos[i].name);
                                return;
                        }
 
-               printf("-p %s%u ", invertstr, proto);
+               printf("%s-p %u ", invertstr, proto);
        }
 }
 
@@ -1081,9 +1081,9 @@ static void print_ip(char *prefix, const struct in6_addr *ip, const struct in6_a
        if (l == 0 && !invert)
                return;
 
-       printf("%s %s%s",
-               prefix,
+       printf("%s%s %s",
                invert ? "! " : "",
+               prefix,
                inet_ntop(AF_INET6, ip, buf, sizeof buf));
 
        if (l == -1)

diff --git a/iptables.c b/iptables.c
index 3449decdba5e12486421edf810b0e95b2770f5ce..649baf4cbbcd74b8b1279046eb25b85ff7217e20 100644 (file)
--- a/iptables.c
+++ b/iptables.c
@@ -1006,18 +1006,18 @@ static void print_proto(u_int16_t proto, int invert)
 
                struct protoent *pent = getprotobynumber(proto);
                if (pent) {
-                       printf("-p %s%s ", invertstr, pent->p_name);
+                       printf("%s-p %s ", invertstr, pent->p_name);
                        return;
                }
 
                for (i = 0; xtables_chain_protos[i].name != NULL; ++i)
                        if (xtables_chain_protos[i].num == proto) {
-                               printf("-p %s%s ",
+                               printf("%s-p %s ",
                                       invertstr, xtables_chain_protos[i].name);
                                return;
                        }
 
-               printf("-p %s%u ", invertstr, proto);
+               printf("%s-p %u ", invertstr, proto);
        }
 }
 
@@ -1039,7 +1039,7 @@ print_iface(char letter, const char *iface, const unsigned char *mask,
        if (mask[0] == 0)
                return;
 
-       printf("-%c %s", letter, invert ? "! " : "");
+       printf("%s-%c ", invert ? "! " : "", letter);
 
        for (i = 0; i < IFNAMSIZ; i++) {
                if (mask[i] != 0) {
@@ -1089,9 +1089,9 @@ static void print_ip(char *prefix, u_int32_t ip, u_int32_t mask, int invert)
        if (!mask && !ip && !invert)
                return;
 
-       printf("%s %s%u.%u.%u.%u",
-               prefix,
+       printf("%s%s %u.%u.%u.%u",
                invert ? "! " : "",
+               prefix,
                IP_PARTS(ip));
 
        if (mask == 0xFFFFFFFFU) {