@@ -100,7 +100,8 @@ static bool nft_ipv4_is_same(const void *data_a,
return is_same_interfaces(a->fw.ip.iniface, a->fw.ip.outiface,
a->fw.ip.iniface_mask, a->fw.ip.outiface_mask,
b->fw.ip.iniface, b->fw.ip.outiface,
- b->fw.ip.iniface_mask, b->fw.ip.outiface_mask);
+ b->fw.ip.iniface_mask,
+ b->fw.ip.outiface_mask);
}
static void get_frag(struct nft_rule_expr_iter *iter, bool *inv)
@@ -180,7 +181,7 @@ static void nft_ipv4_parse_payload(struct nft_rule_expr_iter *iter,
{
struct iptables_command_state *cs = data;
- switch(offset) {
+ switch (offset) {
struct in_addr addr;
uint8_t proto;
bool inv;
@@ -235,26 +236,26 @@ static void print_ipv4_addr(const struct iptables_command_state *cs,
fputc(cs->fw.ip.invflags & IPT_INV_SRCIP ? '!' : ' ', stdout);
if (cs->fw.ip.smsk.s_addr == 0L && !(format & FMT_NUMERIC))
- printf(FMT("%-19s ","%s "), "anywhere");
+ printf(FMT("%-19s ", "%s "), "anywhere");
else {
if (format & FMT_NUMERIC)
strcpy(buf, xtables_ipaddr_to_numeric(&cs->fw.ip.src));
else
strcpy(buf, xtables_ipaddr_to_anyname(&cs->fw.ip.src));
strcat(buf, xtables_ipmask_to_numeric(&cs->fw.ip.smsk));
- printf(FMT("%-19s ","%s "), buf);
+ printf(FMT("%-19s ", "%s "), buf);
}
fputc(cs->fw.ip.invflags & IPT_INV_DSTIP ? '!' : ' ', stdout);
if (cs->fw.ip.dmsk.s_addr == 0L && !(format & FMT_NUMERIC))
- printf(FMT("%-19s ","-> %s"), "anywhere");
+ printf(FMT("%-19s ", "-> %s"), "anywhere");
else {
if (format & FMT_NUMERIC)
strcpy(buf, xtables_ipaddr_to_numeric(&cs->fw.ip.dst));
else
strcpy(buf, xtables_ipaddr_to_anyname(&cs->fw.ip.dst));
strcat(buf, xtables_ipmask_to_numeric(&cs->fw.ip.dmsk));
- printf(FMT("%-19s ","-> %s"), buf);
+ printf(FMT("%-19s ", "-> %s"), buf);
}
}
@@ -422,13 +423,13 @@ static int nft_ipv4_xlate(const void *data, struct xt_buf *buf)
}
if (cs->fw.ip.outiface[0] != '\0') {
xt_buf_add(buf, "oifname %s%s ",
- cs->fw.ip.invflags & IPT_INV_VIA_OUT? "!= " : "",
+ cs->fw.ip.invflags & IPT_INV_VIA_OUT ? "!= " : "",
cs->fw.ip.outiface);
}
if (cs->fw.ip.flags & IPT_F_FRAG) {
xt_buf_add(buf, "ip frag-off %s%x ",
- cs->fw.ip.invflags & IPT_INV_FRAG? "" : "!= ", 0);
+ cs->fw.ip.invflags & IPT_INV_FRAG ? "" : "!= ", 0);
}
if (cs->fw.ip.proto != 0) {
@@ -462,8 +463,12 @@ static int nft_ipv4_xlate(const void *data, struct xt_buf *buf)
if (!ret)
return ret;
- /* Always add counters per rule, as in iptables */
- xt_buf_add(buf, "counter ");
+ /*
+ * Always add counters as suffix per rule as in iptables
+ * except for comment where it should be prefix
+ */
+ if (strcmp(cs->matches->match->name, "comment"))
+ xt_buf_add(buf, "counter ");
ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), buf);
Remove the counter as suffix for comment module as it should be used as prefix for this case. Example: $ sudo nft add rule ip filter INPUT comment \"random comment\" counter throws Error: syntax error, unexpected comment $ sudo nft add rule ip filter INPUT counter comment \"random comment\" gets accepted as a legit rule in nftables Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> --- iptables/nft-ipv4.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-)