extensions: libxt_iprange: handle the invert flag properly in translation
If we specify the invert flag, we should put "!=" after "ip saddr/daddr",
so the current translation is wrong:
# iptables-translate -A OUTPUT -m iprange ! --dst-range 1.1.1.1-1.1.1.2
nft add rule ip filter OUTPUT != ip daddr 1.1.1.1-1.1.1.2 counter
# ip6tables-translate -A OUTPUT -m iprange ! --src-range 2003::1-2003::3
nft add rule ip6 filter OUTPUT != ip6 saddr 2003::1-2003::3 counter
Apply this patch:
# iptables-translate -A OUTPUT -m iprange ! --dst-range 1.1.1.1-1.1.1.2
nft add rule ip filter OUTPUT ip daddr != 1.1.1.1-1.1.1.2 counter
# ip6tables-translate -A OUTPUT -m iprange ! --src-range 2003::1-2003::3
nft add rule ip6 filter OUTPUT ip6 saddr != 2003::1-2003::3 counter
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/extensions/libxt_iprange.c b/extensions/libxt_iprange.c
index a76f1e9..8be2481 100644
--- a/extensions/libxt_iprange.c
+++ b/extensions/libxt_iprange.c
@@ -322,18 +322,14 @@
char *space = "";
if (info->flags & IPRANGE_SRC) {
- if (info->flags & IPRANGE_SRC_INV)
- xt_xlate_add(xl, "!= ");
- xt_xlate_add(xl, "ip saddr");
+ xt_xlate_add(xl, "ip saddr%s",
+ info->flags & IPRANGE_SRC_INV ? " !=" : "");
print_iprange_xlate(&info->src, xl);
space = " ";
}
if (info->flags & IPRANGE_DST) {
- if (info->flags & IPRANGE_DST_INV) {
- xt_xlate_add(xl, "%s!= ", space);
- space = "";
- }
- xt_xlate_add(xl, "%sip daddr", space);
+ xt_xlate_add(xl, "%sip daddr%s", space,
+ info->flags & IPRANGE_DST_INV ? " !=" : "");
print_iprange_xlate(&info->dst, xl);
}
@@ -348,23 +344,19 @@
char *space = "";
if (info->flags & IPRANGE_SRC) {
- if (info->flags & IPRANGE_SRC_INV)
- xt_xlate_add(xl, "!= ");
- xt_xlate_add(xl, "ip saddr %s",
- xtables_ipaddr_to_numeric(&info->src_min.in));
+ xt_xlate_add(xl, "ip saddr%s %s",
+ info->flags & IPRANGE_SRC_INV ? " !=" : "",
+ xtables_ipaddr_to_numeric(&info->src_min.in));
xt_xlate_add(xl, "-%s",
- xtables_ipaddr_to_numeric(&info->src_max.in));
+ xtables_ipaddr_to_numeric(&info->src_max.in));
space = " ";
}
if (info->flags & IPRANGE_DST) {
- if (info->flags & IPRANGE_DST_INV) {
- xt_xlate_add(xl, "%s!= ", space);
- space = "";
- }
- xt_xlate_add(xl, "%sip daddr %s", space,
- xtables_ipaddr_to_numeric(&info->dst_min.in));
+ xt_xlate_add(xl, "%sip daddr%s %s", space,
+ info->flags & IPRANGE_DST_INV ? " !=" : "",
+ xtables_ipaddr_to_numeric(&info->dst_min.in));
xt_xlate_add(xl, "-%s",
- xtables_ipaddr_to_numeric(&info->dst_max.in));
+ xtables_ipaddr_to_numeric(&info->dst_max.in));
}
return 1;
@@ -378,23 +370,19 @@
char *space = "";
if (info->flags & IPRANGE_SRC) {
- if (info->flags & IPRANGE_SRC_INV)
- xt_xlate_add(xl, "!= ");
- xt_xlate_add(xl, "ip6 saddr %s",
- xtables_ip6addr_to_numeric(&info->src_min.in6));
+ xt_xlate_add(xl, "ip6 saddr%s %s",
+ info->flags & IPRANGE_SRC_INV ? " !=" : "",
+ xtables_ip6addr_to_numeric(&info->src_min.in6));
xt_xlate_add(xl, "-%s",
- xtables_ip6addr_to_numeric(&info->src_max.in6));
+ xtables_ip6addr_to_numeric(&info->src_max.in6));
space = " ";
}
if (info->flags & IPRANGE_DST) {
- if (info->flags & IPRANGE_DST_INV) {
- xt_xlate_add(xl, "%s!= ", space);
- space = "";
- }
- xt_xlate_add(xl, "%sip6 daddr %s", space,
- xtables_ip6addr_to_numeric(&info->dst_min.in6));
+ xt_xlate_add(xl, "%sip6 daddr%s %s", space,
+ info->flags & IPRANGE_DST_INV ? " !=" : "",
+ xtables_ip6addr_to_numeric(&info->dst_min.in6));
xt_xlate_add(xl, "-%s",
- xtables_ip6addr_to_numeric(&info->dst_max.in6));
+ xtables_ip6addr_to_numeric(&info->dst_max.in6));
}
return 1;