Snap for 5339364 from 6938ab6bbf9d67c78f4221a866624ea3a8fdd38e to qt-release
Change-Id: Ia243ecd6f6308dc19312d81f233758e64cf364d6
diff --git a/extensions/libxt_connbytes.c b/extensions/libxt_connbytes.c
index ed2ad25..b57f0fc 100644
--- a/extensions/libxt_connbytes.c
+++ b/extensions/libxt_connbytes.c
@@ -156,6 +156,61 @@
print_direction(sinfo);
}
+
+static int connbytes_xlate(struct xt_xlate *xl,
+ const struct xt_xlate_mt_params *params)
+{
+ const struct xt_connbytes_info *info = (void *)params->match->data;
+ unsigned long long from, to;
+ bool invert = false;
+
+ xt_xlate_add(xl, "ct ");
+
+ switch (info->direction) {
+ case XT_CONNBYTES_DIR_ORIGINAL:
+ xt_xlate_add(xl, "original ");
+ break;
+ case XT_CONNBYTES_DIR_REPLY:
+ xt_xlate_add(xl, "reply ");
+ break;
+ case XT_CONNBYTES_DIR_BOTH:
+ break;
+ default:
+ return 0;
+ }
+
+ switch (info->what) {
+ case XT_CONNBYTES_PKTS:
+ xt_xlate_add(xl, "packets ");
+ break;
+ case XT_CONNBYTES_BYTES:
+ xt_xlate_add(xl, "bytes ");
+ break;
+ case XT_CONNBYTES_AVGPKT:
+ xt_xlate_add(xl, "avgpkt ");
+ break;
+ default:
+ return 0;
+ }
+
+ if (info->count.from > info->count.to) {
+ invert = true;
+ from = info->count.to;
+ to = info->count.from;
+ } else {
+ to = info->count.to;
+ from = info->count.from;
+ }
+
+ if (from == to)
+ xt_xlate_add(xl, "%llu", from);
+ else if (to == UINT64_MAX)
+ xt_xlate_add(xl, "%s %llu", invert ? "lt" : "ge", from);
+ else
+ xt_xlate_add(xl, "%s%llu-%llu", invert ? "!= " : "", from, to);
+ return 1;
+}
+
static struct xtables_match connbytes_match = {
.family = NFPROTO_UNSPEC,
.name = "connbytes",
@@ -167,6 +222,7 @@
.save = connbytes_save,
.x6_parse = connbytes_parse,
.x6_options = connbytes_opts,
+ .xlate = connbytes_xlate,
};
void _init(void)
diff --git a/extensions/libxt_rpfilter.c b/extensions/libxt_rpfilter.c
index 168e703..d166baa 100644
--- a/extensions/libxt_rpfilter.c
+++ b/extensions/libxt_rpfilter.c
@@ -77,6 +77,31 @@
return rpfilter_print_prefix(ip, match->data, "--");
}
+static int rpfilter_xlate(struct xt_xlate *xl,
+ const struct xt_xlate_mt_params *params)
+{
+ const struct xt_rpfilter_info *info = (void *)params->match->data;
+ bool invert = info->flags & XT_RPFILTER_INVERT;
+
+ if (info->flags & XT_RPFILTER_ACCEPT_LOCAL) {
+ if (invert)
+ xt_xlate_add(xl, "fib saddr type != local ");
+ else
+ return 0;
+ }
+
+ xt_xlate_add(xl, "fib saddr ");
+
+ if (info->flags & XT_RPFILTER_VALID_MARK)
+ xt_xlate_add(xl, ". mark ");
+ if (!(info->flags & XT_RPFILTER_LOOSE))
+ xt_xlate_add(xl, ". iif ");
+
+ xt_xlate_add(xl, "oif %s0", invert ? "" : "!= ");
+
+ return 1;
+}
+
static struct xtables_match rpfilter_match = {
.family = NFPROTO_UNSPEC,
.name = "rpfilter",
@@ -88,6 +113,7 @@
.save = rpfilter_save,
.x6_parse = rpfilter_parse,
.x6_options = rpfilter_opts,
+ .xlate = rpfilter_xlate,
};
void _init(void)
diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c
index f35e921..053413a 100644
--- a/iptables/ip6tables-save.c
+++ b/iptables/ip6tables-save.c
@@ -35,10 +35,16 @@
int ret = 1;
FILE *procfile = NULL;
char tablename[XT_TABLE_MAXNAMELEN+1];
+ static const char filename[] = "/proc/net/ip6_tables_names";
- procfile = fopen("/proc/net/ip6_tables_names", "re");
- if (!procfile)
- return ret;
+ procfile = fopen(filename, "re");
+ if (!procfile) {
+ if (errno == ENOENT)
+ return ret;
+ fprintf(stderr, "Failed to list table names in %s: %s\n",
+ filename, strerror(errno));
+ exit(1);
+ }
while (fgets(tablename, sizeof(tablename), procfile)) {
if (tablename[strlen(tablename) - 1] != '\n')
diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c
index 238f368..e8ae9c6 100644
--- a/iptables/iptables-save.c
+++ b/iptables/iptables-save.c
@@ -33,10 +33,16 @@
int ret = 1;
FILE *procfile = NULL;
char tablename[XT_TABLE_MAXNAMELEN+1];
+ static const char filename[] = "/proc/net/ip_tables_names";
- procfile = fopen("/proc/net/ip_tables_names", "re");
- if (!procfile)
- return ret;
+ procfile = fopen(filename, "re");
+ if (!procfile) {
+ if (errno == ENOENT)
+ return ret;
+ fprintf(stderr, "Failed to list table names in %s: %s\n",
+ filename, strerror(errno));
+ exit(1);
+ }
while (fgets(tablename, sizeof(tablename), procfile)) {
if (tablename[strlen(tablename) - 1] != '\n')
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 52b1bed..e5947a7 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -489,12 +489,11 @@
/* Always add counters per rule, as in iptables */
xt_xlate_add(xl, "counter ");
+ ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), xl);
comment = xt_xlate_get_comment(xl);
if (comment)
- xt_xlate_add(xl, "comment %s", comment);
-
- ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), xl);
+ xt_xlate_add(xl, " comment %s", comment);
return ret;
}
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index c475b8e..9cf4058 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -438,12 +438,11 @@
/* Always add counters per rule, as in iptables */
xt_xlate_add(xl, "counter ");
+ ret = xlate_action(cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO), xl);
comment = xt_xlate_get_comment(xl);
if (comment)
- xt_xlate_add(xl, "comment %s", comment);
-
- ret = xlate_action(cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO), xl);
+ xt_xlate_add(xl, " comment %s", comment);
return ret;
}
