nft-compat: fix IP6T_F_GOTO flag handling
IPT_F_GOTO and IP6T_F_GOTO don't overlap, so this need special handling
to avoid misinterpretations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 02645a2..d05e80e 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -76,7 +76,7 @@
if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0)
return -1;
- return add_action(r, cs, cs->fw.ip.flags);
+ return add_action(r, cs, !!(cs->fw.ip.flags & IPT_F_GOTO));
}
static bool nft_ipv4_is_same(const void *data_a,
@@ -331,6 +331,12 @@
save_matches_and_target(cs->matches, cs->target,
cs->jumpto, cs->fw.ip.flags, &cs->fw);
+
+ if (cs->target == NULL && strlen(cs->jumpto) > 0) {
+ printf("-%c %s", cs->fw.ip.flags & IPT_F_GOTO ? 'g' : 'j',
+ cs->jumpto);
+ }
+ printf("\n");
}
static void nft_ipv4_proto_parse(struct iptables_command_state *cs,
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 7c8b43f..f08598a 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -59,7 +59,7 @@
if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0)
return -1;
- return add_action(r, cs, cs->fw6.ipv6.flags);
+ return add_action(r, cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO));
}
static bool nft_ipv6_is_same(const void *data_a,
@@ -138,7 +138,7 @@
cs->jumpto = jumpto;
if (nft_goto)
- cs->fw6.ipv6.flags |= IPT_F_GOTO;
+ cs->fw6.ipv6.flags |= IP6T_F_GOTO;
}
static void print_ipv6_addr(const struct iptables_command_state *cs,
@@ -195,10 +195,8 @@
if (format & FMT_NOTABLE)
fputs(" ", stdout);
-#ifdef IPT_F_GOTO
- if (cs.fw6.ipv6.flags & IPT_F_GOTO)
+ if (cs.fw6.ipv6.flags & IP6T_F_GOTO)
printf("[goto] ");
-#endif
print_matches_and_target(&cs, format);
@@ -234,6 +232,12 @@
save_matches_and_target(cs->matches, cs->target,
cs->jumpto, cs->fw6.ipv6.flags, &cs->fw6);
+
+ if (cs->target == NULL && strlen(cs->jumpto) > 0) {
+ printf("-%c %s", cs->fw6.ipv6.flags & IP6T_F_GOTO ? 'g' : 'j',
+ cs->jumpto);
+ }
+ printf("\n");
}
/* These are invalid numbers as upper layer protocol */
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index dce8a34..ada71e6 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -648,10 +648,7 @@
if (target->save != NULL)
target->save(fw, target->t);
- } else if (strlen(jumpto) > 0)
- printf("-%c %s", flags & IPT_F_GOTO ? 'g' : 'j', jumpto);
-
- printf("\n");
+ }
}
void print_matches_and_target(struct iptables_command_state *cs,
diff --git a/iptables/nft.c b/iptables/nft.c
index 515d124..a45d599 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -864,7 +864,7 @@
}
int add_action(struct nft_rule *r, struct iptables_command_state *cs,
- int ip_flags)
+ bool goto_set)
{
int ret = 0;
@@ -881,7 +881,7 @@
ret = add_target(r, cs->target->t);
} else if (strlen(cs->jumpto) > 0) {
/* Not standard, then it's a go / jump to chain */
- if (ip_flags & IPT_F_GOTO)
+ if (goto_set)
ret = add_jumpto(r, cs->jumpto, NFT_GOTO);
else
ret = add_jumpto(r, cs->jumpto, NFT_JUMP);
diff --git a/iptables/nft.h b/iptables/nft.h
index 8670f34..9248876 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -107,7 +107,7 @@
int add_match(struct nft_rule *r, struct xt_entry_match *m);
int add_target(struct nft_rule *r, struct xt_entry_target *t);
int add_jumpto(struct nft_rule *r, const char *name, int verdict);
-int add_action(struct nft_rule *r, struct iptables_command_state *cs, int ip_flags);
+int add_action(struct nft_rule *r, struct iptables_command_state *cs, bool goto_set);
enum nft_rule_print {
NFT_RULE_APPEND,