From 71eb9a84f50211f78cf2b7b5ef34f99944a76c02 Mon Sep 17 00:00:00 2001

From: Phil Sutter <phil@nwl.cc>

Date: Tue, 5 Feb 2019 18:18:02 +0100

Subject: [PATCH] Revert "ebtables: use extrapositioned negation consistently"

This reverts commit 5f508b76a0cebaf91965ffa678089222e2d47964.

While attempts at unifying syntax between arp-, eb- and iptables-nft

increase the opportunity for more code-sharing, they are problematic

when it comes to compatibility. Accepting the old syntax on input helps,

but due to the fact that neither arptables nor ebtables support --check

command we must expect for users to test existence of a rule by

comparing input with output. If that happens in a script, deviating from

the old syntax in output has a high chance of breaking it.

Therefore revert Florian's patch changing inversion character position

in output and review the old code for consistency - the only thing

changed on top of the actual revert is ebtables' own copy of

print_iface() to make it adhere to the intrapositioned negation scheme

used throughout ebtables.

Added extension tests by the reverted commit have been kept.

Signed-off-by: Phil Sutter <phil@nwl.cc>

Signed-off-by: Florian Westphal <fw@strlen.de>

(cherry picked from commit 35b22e82fa62e10950d8e0fa53a755d4abadf346)

Conflicts:

- Drop changes to extensions/*.t since these files don't exist in

  release tarballs.

Signed-off-by: Phil Sutter <psutter@redhat.com>

---

 extensions/libebt_802_3.c   |  4 ++--

 extensions/libebt_arp.c     | 14 +++++++-------

 extensions/libebt_ip.c      | 16 ++++++++--------

 extensions/libebt_ip6.c     | 14 +++++++-------

 extensions/libebt_mark_m.c  |  2 +-

 extensions/libebt_pkttype.c |  5 +----

 extensions/libebt_stp.c     |  5 ++---

 extensions/libebt_vlan.c    | 13 ++++---------

 iptables/nft-bridge.c       |  6 +++---

 9 files changed, 35 insertions(+), 44 deletions(-)

diff --git a/extensions/libebt_802_3.c b/extensions/libebt_802_3.c

index 9e91d05262591..f05d02ead5a4a 100644

--- a/extensions/libebt_802_3.c

+++ b/extensions/libebt_802_3.c

@@ -98,15 +98,15 @@ static void br802_3_print(const void *ip, const struct xt_entry_match *match,

 	struct ebt_802_3_info *info = (struct ebt_802_3_info *)match->data;

 	if (info->bitmask & EBT_802_3_SAP) {

+		printf("--802_3-sap ");

 		if (info->invflags & EBT_802_3_SAP)

 			printf("! ");

-		printf("--802_3-sap ");

 		printf("0x%.2x ", info->sap);

 	}

 	if (info->bitmask & EBT_802_3_TYPE) {

+		printf("--802_3-type ");

 		if (info->invflags & EBT_802_3_TYPE)

 			printf("! ");

-		printf("--802_3-type ");

 		printf("0x%.4x ", ntohs(info->type));

 	}

 }

diff --git a/extensions/libebt_arp.c b/extensions/libebt_arp.c

index c1b0ab1db0cf1..a062b7e7e5864 100644

--- a/extensions/libebt_arp.c

+++ b/extensions/libebt_arp.c

@@ -338,51 +338,51 @@ static void brarp_print(const void *ip, const struct xt_entry_match *match, int

 	if (arpinfo->bitmask & EBT_ARP_OPCODE) {

 		int opcode = ntohs(arpinfo->opcode);

+		printf("--arp-op ");

 		if (arpinfo->invflags & EBT_ARP_OPCODE)

 			printf("! ");

-		printf("--arp-op ");

 		if (opcode > 0 && opcode <= ARRAY_SIZE(opcodes))

 			printf("%s ", opcodes[opcode - 1]);

 		else

 			printf("%d ", opcode);

 	}

 	if (arpinfo->bitmask & EBT_ARP_HTYPE) {

+		printf("--arp-htype ");

 		if (arpinfo->invflags & EBT_ARP_HTYPE)

 			printf("! ");

-		printf("--arp-htype ");

 		printf("%d ", ntohs(arpinfo->htype));

 	}

 	if (arpinfo->bitmask & EBT_ARP_PTYPE) {

+		printf("--arp-ptype ");

 		if (arpinfo->invflags & EBT_ARP_PTYPE)

 			printf("! ");

-		printf("--arp-ptype ");

 		printf("0x%x ", ntohs(arpinfo->ptype));

 	}

 	if (arpinfo->bitmask & EBT_ARP_SRC_IP) {

+		printf("--arp-ip-src ");

 		if (arpinfo->invflags & EBT_ARP_SRC_IP)

 			printf("! ");

-		printf("--arp-ip-src ");

 		printf("%s%s ", xtables_ipaddr_to_numeric((const struct in_addr*) &arpinfo->saddr),

 		       xtables_ipmask_to_numeric((const struct in_addr*)&arpinfo->smsk));

 	}

 	if (arpinfo->bitmask & EBT_ARP_DST_IP) {

+		printf("--arp-ip-dst ");

 		if (arpinfo->invflags & EBT_ARP_DST_IP)

 			printf("! ");

-		printf("--arp-ip-dst ");

 		printf("%s%s ", xtables_ipaddr_to_numeric((const struct in_addr*) &arpinfo->daddr),

 		       xtables_ipmask_to_numeric((const struct in_addr*)&arpinfo->dmsk));

 	}

 	if (arpinfo->bitmask & EBT_ARP_SRC_MAC) {

+		printf("--arp-mac-src ");

 		if (arpinfo->invflags & EBT_ARP_SRC_MAC)

 			printf("! ");

-		printf("--arp-mac-src ");

 		xtables_print_mac_and_mask(arpinfo->smaddr, arpinfo->smmsk);

 		printf(" ");

 	}

 	if (arpinfo->bitmask & EBT_ARP_DST_MAC) {

+		printf("--arp-mac-dst ");

 		if (arpinfo->invflags & EBT_ARP_DST_MAC)

 			printf("! ");

-		printf("--arp-mac-dst ");

 		xtables_print_mac_and_mask(arpinfo->dmaddr, arpinfo->dmmsk);

 		printf(" ");

 	}

diff --git a/extensions/libebt_ip.c b/extensions/libebt_ip.c

index d48704fe1c802..acb9bfcdbbd9f 100644

--- a/extensions/libebt_ip.c

+++ b/extensions/libebt_ip.c

@@ -472,35 +472,35 @@ static void brip_print(const void *ip, const struct xt_entry_match *match,

 	struct in_addr *addrp, *maskp;

 	if (info->bitmask & EBT_IP_SOURCE) {

+		printf("--ip-src ");

 		if (info->invflags & EBT_IP_SOURCE)

 			printf("! ");

-		printf("--ip-src ");

 		addrp = (struct in_addr *)&info->saddr;

 		maskp = (struct in_addr *)&info->smsk;

 		printf("%s%s ", xtables_ipaddr_to_numeric(addrp),

 		       xtables_ipmask_to_numeric(maskp));

 	}

 	if (info->bitmask & EBT_IP_DEST) {

+		printf("--ip-dst ");

 		if (info->invflags & EBT_IP_DEST)

 			printf("! ");

-		printf("--ip-dst ");

 		addrp = (struct in_addr *)&info->daddr;

 		maskp = (struct in_addr *)&info->dmsk;

 		printf("%s%s ", xtables_ipaddr_to_numeric(addrp),

 		       xtables_ipmask_to_numeric(maskp));

 	}

 	if (info->bitmask & EBT_IP_TOS) {

+		printf("--ip-tos ");

 		if (info->invflags & EBT_IP_TOS)

 			printf("! ");

-		printf("--ip-tos ");

 		printf("0x%02X ", info->tos);

 	}

 	if (info->bitmask & EBT_IP_PROTO) {

 		struct protoent *pe;

+		printf("--ip-proto ");

 		if (info->invflags & EBT_IP_PROTO)

 			printf("! ");

-		printf("--ip-proto ");

 		pe = getprotobynumber(info->protocol);

 		if (pe == NULL) {

 			printf("%d ", info->protocol);

@@ -509,28 +509,28 @@ static void brip_print(const void *ip, const struct xt_entry_match *match,

 		}

 	}

 	if (info->bitmask & EBT_IP_SPORT) {

+		printf("--ip-sport ");

 		if (info->invflags & EBT_IP_SPORT)

 			printf("! ");

-		printf("--ip-sport ");

 		print_port_range(info->sport);

 	}

 	if (info->bitmask & EBT_IP_DPORT) {

+		printf("--ip-dport ");

 		if (info->invflags & EBT_IP_DPORT)

 			printf("! ");

-		printf("--ip-dport ");

 		print_port_range(info->dport);

 	}

 	if (info->bitmask & EBT_IP_ICMP) {

+		printf("--ip-icmp-type ");

 		if (info->invflags & EBT_IP_ICMP)

 			printf("! ");

-		printf("--ip-icmp-type ");

 		ebt_print_icmp_type(icmp_codes, ARRAY_SIZE(icmp_codes),

 				    info->icmp_type, info->icmp_code);

 	}

 	if (info->bitmask & EBT_IP_IGMP) {

+		printf("--ip-igmp-type ");

 		if (info->invflags & EBT_IP_IGMP)

 			printf("! ");

-		printf("--ip-igmp-type ");

 		ebt_print_icmp_type(igmp_types, ARRAY_SIZE(igmp_types),

 				    info->igmp_type, NULL);

 	}

diff --git a/extensions/libebt_ip6.c b/extensions/libebt_ip6.c

index b727764903ffa..b8a5a5d8c3a92 100644

--- a/extensions/libebt_ip6.c

+++ b/extensions/libebt_ip6.c

@@ -399,31 +399,31 @@ static void brip6_print(const void *ip, const struct xt_entry_match *match,

 	struct ebt_ip6_info *ipinfo = (struct ebt_ip6_info *)match->data;

 	if (ipinfo->bitmask & EBT_IP6_SOURCE) {

+		printf("--ip6-src ");

 		if (ipinfo->invflags & EBT_IP6_SOURCE)

 			printf("! ");

-		printf("--ip6-src ");

 		printf("%s", xtables_ip6addr_to_numeric(&ipinfo->saddr));

 		printf("%s ", xtables_ip6mask_to_numeric(&ipinfo->smsk));

 	}

 	if (ipinfo->bitmask & EBT_IP6_DEST) {

+		printf("--ip6-dst ");

 		if (ipinfo->invflags & EBT_IP6_DEST)

 			printf("! ");

-		printf("--ip6-dst ");

 		printf("%s", xtables_ip6addr_to_numeric(&ipinfo->daddr));

 		printf("%s ", xtables_ip6mask_to_numeric(&ipinfo->dmsk));

 	}

 	if (ipinfo->bitmask & EBT_IP6_TCLASS) {

+		printf("--ip6-tclass ");

 		if (ipinfo->invflags & EBT_IP6_TCLASS)

 			printf("! ");

-		printf("--ip6-tclass ");

 		printf("0x%02X ", ipinfo->tclass);

 	}

 	if (ipinfo->bitmask & EBT_IP6_PROTO) {

 		struct protoent *pe;

+		printf("--ip6-proto ");

 		if (ipinfo->invflags & EBT_IP6_PROTO)

 			printf("! ");

-		printf("--ip6-proto ");

 		pe = getprotobynumber(ipinfo->protocol);

 		if (pe == NULL) {

 			printf("%d ", ipinfo->protocol);

@@ -432,21 +432,21 @@ static void brip6_print(const void *ip, const struct xt_entry_match *match,

 		}

 	}

 	if (ipinfo->bitmask & EBT_IP6_SPORT) {

+		printf("--ip6-sport ");

 		if (ipinfo->invflags & EBT_IP6_SPORT)

 			printf("! ");

-		printf("--ip6-sport ");

 		print_port_range(ipinfo->sport);

 	}

 	if (ipinfo->bitmask & EBT_IP6_DPORT) {

+		printf("--ip6-dport ");

 		if (ipinfo->invflags & EBT_IP6_DPORT)

 			printf("! ");

-		printf("--ip6-dport ");

 		print_port_range(ipinfo->dport);

 	}

 	if (ipinfo->bitmask & EBT_IP6_ICMP6) {

+		printf("--ip6-icmp-type ");

 		if (ipinfo->invflags & EBT_IP6_ICMP6)

 			printf("! ");

-		printf("--ip6-icmp-type ");

 		print_icmp_type(ipinfo->icmpv6_type, ipinfo->icmpv6_code);

 	}

 }

diff --git a/extensions/libebt_mark_m.c b/extensions/libebt_mark_m.c

index 64ad926f19959..2462d0af7d0bc 100644

--- a/extensions/libebt_mark_m.c

+++ b/extensions/libebt_mark_m.c

@@ -86,9 +86,9 @@ static void brmark_m_print(const void *ip, const struct xt_entry_match *match,

 {

 	struct ebt_mark_m_info *info = (struct ebt_mark_m_info *)match->data;

+	printf("--mark ");

 	if (info->invert)

 		printf("! ");

-	printf("--mark ");

 	if (info->bitmask == EBT_MARK_OR)

 		printf("/0x%lx ", info->mask);

 	else if (info->mask != 0xffffffff)

diff --git a/extensions/libebt_pkttype.c b/extensions/libebt_pkttype.c

index 265674d19bde6..4e2d19de7983b 100644

--- a/extensions/libebt_pkttype.c

+++ b/extensions/libebt_pkttype.c

@@ -75,10 +75,7 @@ static void brpkttype_print(const void *ip, const struct xt_entry_match *match,

 {

 	struct ebt_pkttype_info *pt = (struct ebt_pkttype_info *)match->data;

-	if (pt->invert)

-		printf("! ");

-

-	printf("--pkttype-type ");

+	printf("--pkttype-type %s", pt->invert ? "! " : "");

 	if (pt->pkt_type < ARRAY_SIZE(classes))

 		printf("%s ", classes[pt->pkt_type]);

diff --git a/extensions/libebt_stp.c b/extensions/libebt_stp.c

index 33e4c8d9c615d..06cf93b8d8449 100644

--- a/extensions/libebt_stp.c

+++ b/extensions/libebt_stp.c

@@ -307,9 +307,8 @@ static void brstp_print(const void *ip, const struct xt_entry_match *match,

 	for (i = 0; i < STP_NUMOPS; i++) {

 		if (!(stpinfo->bitmask & (1 << i)))

 			continue;

-		if (stpinfo->invflags & (1 << i))

-			printf("! ");

-		printf("--%s ", brstp_opts[i].name);

+		printf("--%s %s", brstp_opts[i].name,

+		       (stpinfo->invflags & (1 << i)) ? "! " : "");

 		if (EBT_STP_TYPE == (1 << i)) {

 			if (stpinfo->type == BPDU_TYPE_CONFIG)

 				printf("%s", BPDU_TYPE_CONFIG_STRING);

diff --git a/extensions/libebt_vlan.c b/extensions/libebt_vlan.c

index 4a2eb7126895e..a2a9dcce531ce 100644

--- a/extensions/libebt_vlan.c

+++ b/extensions/libebt_vlan.c

@@ -108,19 +108,14 @@ static void brvlan_print(const void *ip, const struct xt_entry_match *match,

 	struct ebt_vlan_info *vlaninfo = (struct ebt_vlan_info *) match->data;

 	if (vlaninfo->bitmask & EBT_VLAN_ID) {

-		if (vlaninfo->invflags & EBT_VLAN_ID)

-			printf("! ");

-		printf("--vlan-id %d ", vlaninfo->id);

+		printf("--vlan-id %s%d ", (vlaninfo->invflags & EBT_VLAN_ID) ? "! " : "", vlaninfo->id);

 	}

 	if (vlaninfo->bitmask & EBT_VLAN_PRIO) {

-		if (vlaninfo->invflags & EBT_VLAN_PRIO)

-			printf("! ");

-		printf("--vlan-prio %d ", vlaninfo->prio);

+		printf("--vlan-prio %s%d ", (vlaninfo->invflags & EBT_VLAN_PRIO) ? "! " : "", vlaninfo->prio);

 	}

 	if (vlaninfo->bitmask & EBT_VLAN_ENCAP) {

-		if (vlaninfo->invflags & EBT_VLAN_ENCAP)

-			printf("! ");

-		printf("--vlan-encap %4.4X ", ntohs(vlaninfo->encap));

+		printf("--vlan-encap %s", (vlaninfo->invflags & EBT_VLAN_ENCAP) ? "! " : "");

+		printf("%4.4X ", ntohs(vlaninfo->encap));

 	}

 }

diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c

index 43b3e3e9649b8..2b79ca951cd92 100644

--- a/iptables/nft-bridge.c

+++ b/iptables/nft-bridge.c

@@ -344,7 +344,7 @@ static void nft_rule_to_ebtables_command_state(const struct nftnl_rule *r,

 static void print_iface(const char *option, const char *name, bool invert)

 {

 	if (*name)

-		printf("%s%s %s ", invert ? "! " : "", option, name);

+		printf("%s%s %s ", option, invert ? " !" : "", name);

 }

 static void nft_bridge_print_table_header(const char *tablename)

@@ -389,9 +389,9 @@ static void print_mac(char option, const unsigned char *mac,

 		      const unsigned char *mask,

 		      bool invert)

 {

+	printf("-%c ", option);

 	if (invert)

 		printf("! ");

-	printf("-%c ", option);

 	ebt_print_mac_and_mask(mac, mask);

 	printf(" ");

 }

@@ -406,9 +406,9 @@ static void print_protocol(uint16_t ethproto, bool invert, unsigned int bitmask)

 	if (bitmask & EBT_NOPROTO)

 		return;

+	printf("-p ");

 	if (invert)

 		printf("! ");

-	printf("-p ");

 	if (bitmask & EBT_802_3) {

 		printf("length ");

-- 

2.20.1