Patchwork ip6tables: don't print out /128

login
register
mail settings
Submitter Phil Oester
Date June 20, 2013, 8:11 p.m.
Message ID <20130620201138.GA11634@gmail.com>
Download mbox | patch
Permalink /patch/253327/
State Accepted
Headers show

Comments

Phil Oester - June 20, 2013, 8:11 p.m.
Similar to how iptables does not print /32 on IPv4 addresses, ip6tables
should not print out /128 on IPv6 addresses.

Phil

Signed-off-by: Phil Oester <kernel@linuxace.com>
Pablo Neira - July 8, 2013, 2:26 a.m.
Hi Phil,

On Thu, Jun 20, 2013 at 04:11:38PM -0400, Phil Oester wrote:
> Similar to how iptables does not print /32 on IPv4 addresses, ip6tables
> should not print out /128 on IPv6 addresses.

I just look at the source of old iptables releases (1.4.11) and it
displays the /32 with iptables -L. I prefer if we restore that
behaviour, ie. we get it back to display /32, for historial reasons.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Phil Oester - July 8, 2013, 4:19 a.m.
On Mon, Jul 08, 2013 at 04:26:41AM +0200, Pablo Neira Ayuso wrote:
> I just look at the source of old iptables releases (1.4.11) and it
> displays the /32 with iptables -L. I prefer if we restore that
> behaviour, ie. we get it back to display /32, for historial reasons.

That does not appear to be correct.  

# ./iptables-multi main -V
iptables v1.4.10

# ./iptables-multi main -L foo  
Chain foo (0 references)
target     prot opt source               destination         
           all  --  1.2.3.4              anywhere


From what I can tell, the comment 

	/* we don't want to see "/32" */

has existed in the tree since at least 3/2000.  

Phil
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira - July 8, 2013, 4:55 p.m.
On Sun, Jul 07, 2013 at 09:19:08PM -0700, Phil Oester wrote:
> On Mon, Jul 08, 2013 at 04:26:41AM +0200, Pablo Neira Ayuso wrote:
> > I just look at the source of old iptables releases (1.4.11) and it
> > displays the /32 with iptables -L. I prefer if we restore that
> > behaviour, ie. we get it back to display /32, for historial reasons.
> 
> That does not appear to be correct.  
> 
> # ./iptables-multi main -V
> iptables v1.4.10
> 
> # ./iptables-multi main -L foo  
> Chain foo (0 references)
> target     prot opt source               destination         
>            all  --  1.2.3.4              anywhere
> 
> 
> From what I can tell, the comment 
> 
> 	/* we don't want to see "/32" */
> 
> has existed in the tree since at least 3/2000.

You're right, I was looking at the wrong place in the code. I have
applied this patch. Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index ebc77b6..ef5bc07 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -1597,7 +1597,11 @@  const char *xtables_ip6mask_to_numeric(const struct in6_addr *addrp)
 		strcat(buf, xtables_ip6addr_to_numeric(addrp));
 		return buf;
 	}
-	sprintf(buf, "/%d", l);
+	/* we don't want to see "/128" */
+	if (l == 128)
+		return "";
+	else
+		sprintf(buf, "/%d", l);
 	return buf;
 }