|
|
576484 |
From 1e1fda9ac0a809c64fd13b4fb759becac824809e Mon Sep 17 00:00:00 2001
|
|
|
576484 |
From: Phil Sutter <phil@nwl.cc>
|
|
|
576484 |
Date: Thu, 13 Feb 2020 14:01:50 +0100
|
|
|
576484 |
Subject: [PATCH] xtables-translate: Fix for iface++
|
|
|
576484 |
|
|
|
576484 |
In legacy iptables, only the last plus sign remains special, any
|
|
|
576484 |
previous ones are taken literally. Therefore xtables-translate must not
|
|
|
576484 |
replace all of them with asterisk but just the last one.
|
|
|
576484 |
|
|
|
576484 |
Fixes: e179e87a1179e ("xtables-translate: Fix for interface name corner-cases")
|
|
|
576484 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
576484 |
(cherry picked from commit 94488d4eb912f5af4c88d148b39b38eb8a3c1f0b)
|
|
|
576484 |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
576484 |
---
|
|
|
576484 |
extensions/generic.txlate | 4 ++++
|
|
|
576484 |
iptables/xtables-translate.c | 6 +++---
|
|
|
576484 |
2 files changed, 7 insertions(+), 3 deletions(-)
|
|
|
576484 |
|
|
|
576484 |
diff --git a/extensions/generic.txlate b/extensions/generic.txlate
|
|
|
576484 |
index c92d082abea78..0e256c3727559 100644
|
|
|
576484 |
--- a/extensions/generic.txlate
|
|
|
576484 |
+++ b/extensions/generic.txlate
|
|
|
576484 |
@@ -23,6 +23,10 @@ nft insert rule bridge filter INPUT ether type 0x800 ether daddr 01:02:03:04:00:
|
|
|
576484 |
iptables-translate -A FORWARD -i '*' -o 'eth*foo'
|
|
|
576484 |
nft add rule ip filter FORWARD iifname "\*" oifname "eth\*foo" counter
|
|
|
576484 |
|
|
|
576484 |
+# escape all asterisks but translate only the first plus character
|
|
|
576484 |
+iptables-translate -A FORWARD -i 'eth*foo*+' -o 'eth++'
|
|
|
576484 |
+nft add rule ip filter FORWARD iifname "eth\*foo\**" oifname "eth+*" counter
|
|
|
576484 |
+
|
|
|
576484 |
# skip for always matching interface names
|
|
|
576484 |
iptables-translate -A FORWARD -i '+'
|
|
|
576484 |
nft add rule ip filter FORWARD counter
|
|
|
576484 |
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
|
|
|
576484 |
index c4e177c0d63ba..0f95855b41aa4 100644
|
|
|
576484 |
--- a/iptables/xtables-translate.c
|
|
|
576484 |
+++ b/iptables/xtables-translate.c
|
|
|
576484 |
@@ -40,9 +40,6 @@ void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname,
|
|
|
576484 |
|
|
|
576484 |
for (i = 0, j = 0; i < ifaclen + 1; i++, j++) {
|
|
|
576484 |
switch (ifname[i]) {
|
|
|
576484 |
- case '+':
|
|
|
576484 |
- iface[j] = '*';
|
|
|
576484 |
- break;
|
|
|
576484 |
case '*':
|
|
|
576484 |
iface[j++] = '\\';
|
|
|
576484 |
/* fall through */
|
|
|
576484 |
@@ -65,6 +62,9 @@ void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname,
|
|
|
576484 |
invert = false;
|
|
|
576484 |
}
|
|
|
576484 |
|
|
|
576484 |
+ if (iface[j - 2] == '+')
|
|
|
576484 |
+ iface[j - 2] = '*';
|
|
|
576484 |
+
|
|
|
576484 |
xt_xlate_add(xl, "%s %s\"%s\" ", nftmeta, invert ? "!= " : "", iface);
|
|
|
576484 |
}
|
|
|
576484 |
|
|
|
576484 |
--
|
|
|
576484 |
2.24.1
|
|
|
576484 |
|