From patchwork Tue Nov 29 11:47:25 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 700467 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3tShcp0YPxz9t2C for ; Tue, 29 Nov 2016 22:47:54 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756661AbcK2Lrl (ORCPT ); Tue, 29 Nov 2016 06:47:41 -0500 Received: from orbyte.nwl.cc ([151.80.46.58]:51380 "EHLO mail.nwl.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756519AbcK2Lrh (ORCPT ); Tue, 29 Nov 2016 06:47:37 -0500 Received: from mail.nwl.cc (orbyte.nwl.cc [127.0.0.1]) by mail.nwl.cc (Postfix) with ESMTP id 88D4461BFD; Tue, 29 Nov 2016 12:47:35 +0100 (CET) Received: from xsao (localhost [IPv6:::1]) by mail.nwl.cc (Postfix) with ESMTP id 1DD6261BF5; Tue, 29 Nov 2016 12:47:35 +0100 (CET) From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [iptables PATCH] tcp_xlate: Enclose LH flag values in parentheses Date: Tue, 29 Nov 2016 12:47:25 +0100 Message-Id: <20161129114725.12735-1-phil@nwl.cc> X-Mailer: git-send-email 2.10.0 X-Virus-Scanned: ClamAV using ClamSMTP Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org This fixes TCP flags matches: | $ iptables-translate -A invalid -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP | nft add rule ip filter invalid tcp flags & fin|syn == fin|syn counter drop Although the generated rule is syntactically correct and accepted by nft, it will be interpreted in a different way than expected since binary AND takes precedence over OR. Signed-off-by: Phil Sutter --- extensions/libxt_tcp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c index 7f68b81288725..58f3c0a0c3c28 100644 --- a/extensions/libxt_tcp.c +++ b/extensions/libxt_tcp.c @@ -435,9 +435,9 @@ static int tcp_xlate(struct xt_xlate *xl, return 0; if (tcpinfo->flg_mask || (tcpinfo->invflags & XT_TCP_INV_FLAGS)) { - xt_xlate_add(xl, "%stcp flags & ", space); + xt_xlate_add(xl, "%stcp flags & (", space); print_tcp_xlate(xl, tcpinfo->flg_mask); - xt_xlate_add(xl, " %s ", + xt_xlate_add(xl, ") %s ", tcpinfo->invflags & XT_TCP_INV_FLAGS ? "!=": "=="); print_tcp_xlate(xl, tcpinfo->flg_cmp); }