| Message ID | 20160722154834.1802-2-pablombg@gmail.com |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
On Fri, Jul 22, 2016 at 05:48:34PM +0200, Pablo M. Bermudo Garay wrote: > Some translations included escaped quotes when they were called from > nft: git am /tmp/iptables-2-2-xtables-translate-fix-issue-with-quotes.patch -s gApplying: xtables-translate: fix issue with quotes error: patch failed: extensions/libxt_NFLOG.c:110 This doesn't apply. You're not working on top of a fresh git repository. Please, frequently git pull and rebase your work. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Jul 22, 2016 at 05:48:34PM +0200, Pablo M. Bermudo Garay wrote: > Some translations included escaped quotes when they were called from > nft: > > $ sudo nft list ruleset > table ip mangle { > chain FORWARD { > type filter hook forward priority -150; policy accept; > ct helper \"ftp\" counter packets 0 bytes 0 > ^^ ^^ > } > } > > This behavior is only correct when xlate functions are called from a > xtables-translate command. This patch solves that issue if nft revision > is using the field added to the xt_xlate struct with "xtables-translate: > add new field to identify the caller" commit. Please, rebase this change on top of: http://git.netfilter.org/iptables/commit/?id=7a0992da44cfb6cab0ccd1beadcf326df8773552 I'd suggest you add a new parameter for this, something like: bool escape_quotes; Or is there use for this nft_compat field you propose out of this. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
2016-07-25 17:31 GMT+02:00 Pablo Neira Ayuso <pablo@netfilter.org>: > On Fri, Jul 22, 2016 at 05:48:34PM +0200, Pablo M. Bermudo Garay wrote: >> Some translations included escaped quotes when they were called from >> nft: >> >> $ sudo nft list ruleset >> table ip mangle { >> chain FORWARD { >> type filter hook forward priority -150; policy accept; >> ct helper \"ftp\" counter packets 0 bytes 0 >> ^^ ^^ >> } >> } >> >> This behavior is only correct when xlate functions are called from a >> xtables-translate command. This patch solves that issue if nft revision >> is using the field added to the xt_xlate struct with "xtables-translate: >> add new field to identify the caller" commit. > > Please, rebase this change on top of: > > http://git.netfilter.org/iptables/commit/?id=7a0992da44cfb6cab0ccd1beadcf326df8773552 > > I'd suggest you add a new parameter for this, something like: > > bool escape_quotes; > > Or is there use for this nft_compat field you propose out of this. For the moment, the quotes issue is the only use I have found for the nft_compat field. So the escape_quotes boolean seems a good idea. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Jul 26, 2016 at 06:22:49PM +0200, Pablo M. Bermudo Garay wrote: > 2016-07-25 17:31 GMT+02:00 Pablo Neira Ayuso <pablo@netfilter.org>: > > On Fri, Jul 22, 2016 at 05:48:34PM +0200, Pablo M. Bermudo Garay wrote: > >> Some translations included escaped quotes when they were called from > >> nft: > >> > >> $ sudo nft list ruleset > >> table ip mangle { > >> chain FORWARD { > >> type filter hook forward priority -150; policy accept; > >> ct helper \"ftp\" counter packets 0 bytes 0 > >> ^^ ^^ > >> } > >> } > >> > >> This behavior is only correct when xlate functions are called from a > >> xtables-translate command. This patch solves that issue if nft revision > >> is using the field added to the xt_xlate struct with "xtables-translate: > >> add new field to identify the caller" commit. > > > > Please, rebase this change on top of: > > > > http://git.netfilter.org/iptables/commit/?id=7a0992da44cfb6cab0ccd1beadcf326df8773552 > > > > I'd suggest you add a new parameter for this, something like: > > > > bool escape_quotes; > > > > Or is there use for this nft_compat field you propose out of this. > > For the moment, the quotes issue is the only use I have found for the > nft_compat field. So the escape_quotes boolean seems a good idea. Great, I prefer then escape_quotes. We can rename this later on if it turns out that we need this for something else. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c index 3c5075e..ec4b9cc 100644 --- a/extensions/libip6t_LOG.c +++ b/extensions/libip6t_LOG.c @@ -190,8 +190,12 @@ static int LOG_xlate(const void *ip, const struct xt_entry_target *target, (const struct ip6t_log_info *)target->data; xt_xlate_add(xl, "log "); - if (strcmp(loginfo->prefix, "") != 0) - xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix); + if (strcmp(loginfo->prefix, "") != 0) { + if (xt_xlate_get_nft_compat(xl)) + xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix); + else + xt_xlate_add(xl, "prefix \"%s\" ", loginfo->prefix); + } for (i = 0; i < ARRAY_SIZE(ip6t_log_xlate_names); ++i) if (loginfo->level == ip6t_log_xlate_names[i].level && diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c index f81eb8d..c87d5fe 100644 --- a/extensions/libipt_LOG.c +++ b/extensions/libipt_LOG.c @@ -190,8 +190,12 @@ static int LOG_xlate(const void *ip, const struct xt_entry_target *target, (const struct ipt_log_info *)target->data; xt_xlate_add(xl, "log "); - if (strcmp(loginfo->prefix, "") != 0) - xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix); + if (strcmp(loginfo->prefix, "") != 0) { + if (xt_xlate_get_nft_compat(xl)) + xt_xlate_add(xl, "prefix \\\"%s\\\" ", loginfo->prefix); + else + xt_xlate_add(xl, "prefix \"%s\" ", loginfo->prefix); + } for (i = 0; i < ARRAY_SIZE(ipt_log_xlate_names); ++i) if (loginfo->level != LOG_DEFAULT_LEVEL && diff --git a/extensions/libxt_NFLOG.c b/extensions/libxt_NFLOG.c index 8c67066..f0b92de 100644 --- a/extensions/libxt_NFLOG.c +++ b/extensions/libxt_NFLOG.c @@ -110,8 +110,13 @@ static void nflog_print_xlate(const struct xt_nflog_info *info, struct xt_xlate *xl) { xt_xlate_add(xl, "log "); - if (info->prefix[0] != '\0') - xt_xlate_add(xl, "prefix \\\"%s\\\" ", info->prefix); + if (info->prefix[0] != '\0') { + if (xt_xlate_get_nft_compat(xl)) + xt_xlate_add(xl, "prefix \\\"%s\\\" ", info->prefix); + else + xt_xlate_add(xl, "prefix \"%s\" ", info->prefix); + + } if (info->len) xt_xlate_add(xl, "snaplen %u ", info->len); if (info->threshold != XT_NFLOG_DEFAULT_THRESHOLD) diff --git a/extensions/libxt_helper.c b/extensions/libxt_helper.c index 26e9569..7b06e50 100644 --- a/extensions/libxt_helper.c +++ b/extensions/libxt_helper.c @@ -50,8 +50,12 @@ static int helper_xlate(const void *ip, const struct xt_entry_match *match, { const struct xt_helper_info *info = (const void *)match->data; - xt_xlate_add(xl, "ct helper%s \\\"%s\\\"", - info->invert ? " !=" : "", info->name); + if (xt_xlate_get_nft_compat(xl)) + xt_xlate_add(xl, "ct helper%s \\\"%s\\\"", + info->invert ? " !=" : "", info->name); + else + xt_xlate_add(xl, "ct helper%s \"%s\"", + info->invert ? " !=" : "", info->name); return 1; }
Some translations included escaped quotes when they were called from nft: $ sudo nft list ruleset table ip mangle { chain FORWARD { type filter hook forward priority -150; policy accept; ct helper \"ftp\" counter packets 0 bytes 0 ^^ ^^ } } This behavior is only correct when xlate functions are called from a xtables-translate command. This patch solves that issue if nft revision is using the field added to the xt_xlate struct with "xtables-translate: add new field to identify the caller" commit. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> --- extensions/libip6t_LOG.c | 8 ++++++-- extensions/libipt_LOG.c | 8 ++++++-- extensions/libxt_NFLOG.c | 9 +++++++-- extensions/libxt_helper.c | 8 ++++++-- 4 files changed, 25 insertions(+), 8 deletions(-)