[PATCH iptables 1/3] tests: xlate: generalize owner

[PATCH iptables 1/3] tests: xlate: generalize owner

[Pablo M. Bermudo Garay]

The owner name was hard-coded in the owner extension translation test.
The translation process requires the user to exist in the system, so
this commit replaces it with the usual UID_MIN value (1000).

Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
---
 extensions/libxt_owner.txlate | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extensions/libxt_owner.txlate b/extensions/libxt_owner.txlate
index eeca168b..86fb0585 100644
--- a/extensions/libxt_owner.txlate
+++ b/extensions/libxt_owner.txlate
@@ -4,5 +4,5 @@ nft add rule ip nat OUTPUT tcp dport 80 skuid 0 counter accept
 iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner 0-10 -j ACCEPT
 nft add rule ip nat OUTPUT tcp dport 80 skgid 0-10 counter accept
 
-iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner pablo -j ACCEPT
+iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner 1000 -j ACCEPT
 nft add rule ip nat OUTPUT tcp dport 80 skuid != 1000 counter accept
-- 
2.11.0

[PATCH iptables 2/3] libip6t_icmp6: xlate: remove leftover space

[Pablo M. Bermudo Garay]

This change should have been included in commit f035be35c749
("xtables-translate: fix multiple spaces issue"), but was forgotten.

Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
---
 extensions/libip6t_icmp6.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c
index b49a241d..37c2bcb8 100644
--- a/extensions/libip6t_icmp6.c
+++ b/extensions/libip6t_icmp6.c
@@ -282,8 +282,6 @@ static int icmp6_xlate(struct xt_xlate *xl,
 	if (!type_xlate_print(xl, info->type, info->code[0], info->code[1]))
 		return 0;
 
-	xt_xlate_add(xl, " ");
-
 	return 1;
 }
 
-- 
2.11.0

[PATCH iptables 3/3] xtables-translate: fix double space before comment

[Pablo M. Bermudo Garay]

When a comment translation immediately follows a counter statement, two
spaces are printed between "counter" and "comment" keywords.

The counter statement is almost always followed by a target, so we need
to move the space following "counter" to the beginning of the target
translation.

Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
---
 iptables/nft-ipv4.c          |  2 +-
 iptables/nft-ipv6.c          |  2 +-
 iptables/xtables-translate.c | 11 ++++++-----
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index e5947a7c..cf311513 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -488,7 +488,7 @@ static int nft_ipv4_xlate(const void *data, struct xt_xlate *xl)
 		return ret;
 
 	/* Always add counters per rule, as in iptables */
-	xt_xlate_add(xl, "counter ");
+	xt_xlate_add(xl, "counter");
 	ret = xlate_action(cs, !!(cs->fw.ip.flags & IPT_F_GOTO), xl);
 
 	comment = xt_xlate_get_comment(xl);
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 9cf4058f..53526369 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -437,7 +437,7 @@ static int nft_ipv6_xlate(const void *data, struct xt_xlate *xl)
 		return ret;
 
 	/* Always add counters per rule, as in iptables */
-	xt_xlate_add(xl, "counter ");
+	xt_xlate_add(xl, "counter");
 	ret = xlate_action(cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO), xl);
 
 	comment = xt_xlate_get_comment(xl);
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index e049f24e..3e6c7051 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -60,12 +60,13 @@ int xlate_action(const struct iptables_command_state *cs, bool goto_set,
 	if (cs->target != NULL) {
 		/* Standard target? */
 		if (strcmp(cs->jumpto, XTC_LABEL_ACCEPT) == 0)
-			xt_xlate_add(xl, "accept");
+			xt_xlate_add(xl, " accept");
 		else if (strcmp(cs->jumpto, XTC_LABEL_DROP) == 0)
-			xt_xlate_add(xl, "drop");
+			xt_xlate_add(xl, " drop");
 		else if (strcmp(cs->jumpto, XTC_LABEL_RETURN) == 0)
-			xt_xlate_add(xl, "return");
+			xt_xlate_add(xl, " return");
 		else if (cs->target->xlate) {
+			xt_xlate_add(xl, " ");
 			struct xt_xlate_tg_params params = {
 				.ip		= (const void *)&cs->fw,
 				.target		= cs->target->t,
@@ -79,9 +80,9 @@ int xlate_action(const struct iptables_command_state *cs, bool goto_set,
 	} else if (strlen(cs->jumpto) > 0) {
 		/* Not standard, then it's a go / jump to chain */
 		if (goto_set)
-			xt_xlate_add(xl, "goto %s", cs->jumpto);
+			xt_xlate_add(xl, " goto %s", cs->jumpto);
 		else
-			xt_xlate_add(xl, "jump %s", cs->jumpto);
+			xt_xlate_add(xl, " jump %s", cs->jumpto);
 	}
 
 	return ret;
-- 
2.11.0

Re: [PATCH iptables 1/3] tests: xlate: generalize owner

[Pablo Neira Ayuso]

On Tue, Jun 06, 2017 at 12:08:26AM +0200, Pablo M. Bermudo Garay wrote:
> The owner name was hard-coded in the owner extension translation test.
> The translation process requires the user to exist in the system, so
> this commit replaces it with the usual UID_MIN value (1000).

Applied, thanks.

Re: [PATCH iptables 2/3] libip6t_icmp6: xlate: remove leftover space

[Pablo Neira Ayuso]

On Tue, Jun 06, 2017 at 12:08:27AM +0200, Pablo M. Bermudo Garay wrote:
> This change should have been included in commit f035be35c749
> ("xtables-translate: fix multiple spaces issue"), but was forgotten.

Also applied, thanks.

Re: [PATCH iptables 3/3] xtables-translate: fix double space before comment

[Pablo Neira Ayuso]

On Tue, Jun 06, 2017 at 12:08:28AM +0200, Pablo M. Bermudo Garay wrote:
> When a comment translation immediately follows a counter statement, two
> spaces are printed between "counter" and "comment" keywords.
> 
> The counter statement is almost always followed by a target, so we need
> to move the space following "counter" to the beginning of the target
> translation.

Neat, applied, thanks.