[PATCH iptables,v2 0/5] iptables-translation enhancements

[PATCH iptables,v2 0/5] iptables-translation enhancements

[Pablo Neira Ayuso]

Hi,

This is v2 of a previously posted individual patches.

1) Extend libxtables to allow to add a set dependency definition
   for translations. Changes since v1: Fix broken translation
   of single commands with no matches / targets.

2) Update xlate-test.py to deal with multiline translation
   (new in this v2 batch).

3) Add libxt_connlimit xlate support and tests (Changes since v1:
   added tests).

4) Use compact flags match representation in libxt_tcp (new)

5) Use negation to simplify libxt_conntrack translation (new)

Pablo Neira Ayuso (5):
  libxtables: extend xlate infrastructure
  tests: xlate-test: support multiline expectation
  extensions: libxt_connlimit: add translation
  extensions: libxt_tcp: rework translation to use flags match representation
  extensions: libxt_conntrack: simplify translation using negation

 configure.ac                      |  4 +-
 extensions/libxt_TCPMSS.txlate    |  4 +-
 extensions/libxt_connlimit.c      | 49 ++++++++++++++++++
 extensions/libxt_connlimit.txlate | 15 ++++++
 extensions/libxt_conntrack.c      | 46 +++++------------
 extensions/libxt_conntrack.txlate |  8 +--
 extensions/libxt_tcp.c            | 10 ++--
 extensions/libxt_tcp.txlate       |  6 +--
 include/xtables.h                 |  6 +++
 iptables/xtables-translate.c      | 29 ++++++++---
 libxtables/xtables.c              | 82 ++++++++++++++++++++++++-------
 xlate-test.py                     | 14 +++++-
 12 files changed, 196 insertions(+), 77 deletions(-)
 create mode 100644 extensions/libxt_connlimit.txlate

-- 
2.20.1

[PATCH iptables,v2 1/5] libxtables: extend xlate infrastructure

[Pablo Neira Ayuso]

This infrastructure extends the existing xlate infrastructure:

- Extensions can define set dependencies through .xlate. The resulting
  set definition can be obtained through xt_xlate_set_get().
- Add xl_xlate_set_family() and xl_xlate_get_family() to store/fetch
  the family.

The first client of this new xlate API is the connlimit extension,
which is added in a follow up patch.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 configure.ac                 |  4 +-
 include/xtables.h            |  6 +++
 iptables/xtables-translate.c | 29 +++++++++----
 libxtables/xtables.c         | 82 ++++++++++++++++++++++++++++--------
 4 files changed, 93 insertions(+), 28 deletions(-)

diff --git a/configure.ac b/configure.ac
index 6864378a3fcb..00ae60c5cfa1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2,8 +2,8 @@
 AC_INIT([iptables], [1.8.7])
 
 # See libtool.info "Libtool's versioning system"
-libxtables_vcurrent=16
-libxtables_vage=4
+libxtables_vcurrent=17
+libxtables_vage=5
 
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
diff --git a/include/xtables.h b/include/xtables.h
index df1eaee32664..347f4bd7aa98 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -632,9 +632,15 @@ extern const char *xtables_lmap_id2name(const struct xtables_lmap *, int);
 struct xt_xlate *xt_xlate_alloc(int size);
 void xt_xlate_free(struct xt_xlate *xl);
 void xt_xlate_add(struct xt_xlate *xl, const char *fmt, ...) __attribute__((format(printf,2,3)));
+#define xt_xlate_rule_add xt_xlate_add
+void xt_xlate_set_add(struct xt_xlate *xl, const char *fmt, ...) __attribute__((format(printf,2,3)));
 void xt_xlate_add_comment(struct xt_xlate *xl, const char *comment);
 const char *xt_xlate_get_comment(struct xt_xlate *xl);
+void xl_xlate_set_family(struct xt_xlate *xl, uint8_t family);
+uint8_t xt_xlate_get_family(struct xt_xlate *xl);
 const char *xt_xlate_get(struct xt_xlate *xl);
+#define xt_xlate_rule_get xt_xlate_get
+const char *xt_xlate_set_get(struct xt_xlate *xl);
 
 #ifdef XTABLES_INTERNAL
 
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 575fb320dc40..33ba68eceb74 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -155,20 +155,33 @@ static int nft_rule_xlate_add(struct nft_handle *h,
 			      bool append)
 {
 	struct xt_xlate *xl = xt_xlate_alloc(10240);
+	const char *set;
 	int ret;
 
+	xl_xlate_set_family(xl, h->family);
+	ret = h->ops->xlate(cs, xl);
+	if (!ret)
+		goto err_out;
+
+	set = xt_xlate_set_get(xl);
+	if (set[0]) {
+		printf("add set %s %s %s\n", family2str[h->family], p->table,
+		       xt_xlate_set_get(xl));
+
+		if (!cs->restore && p->command != CMD_NONE)
+			printf("nft ");
+	}
+
 	if (append) {
-		xt_xlate_add(xl, "add rule %s %s %s ",
-			   family2str[h->family], p->table, p->chain);
+		printf("add rule %s %s %s ",
+		       family2str[h->family], p->table, p->chain);
 	} else {
-		xt_xlate_add(xl, "insert rule %s %s %s ",
-			   family2str[h->family], p->table, p->chain);
+		printf("insert rule %s %s %s ",
+		       family2str[h->family], p->table, p->chain);
 	}
+	printf("%s\n", xt_xlate_rule_get(xl));
 
-	ret = h->ops->xlate(cs, xl);
-	if (ret)
-		printf("%s\n", xt_xlate_get(xl));
-
+err_out:
 	xt_xlate_free(xl);
 	return ret;
 }
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index e6edfb5b4946..d7aab834b998 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -2319,32 +2319,42 @@ void get_kernel_version(void)
 
 #include <linux/netfilter/nf_tables.h>
 
+enum xt_xlate_type {
+	XT_XLATE_RULE = 0,
+	XT_XLATE_SET,
+	__XT_XLATE_MAX
+};
+
 struct xt_xlate {
-	struct {
+	struct xt_xlate_buf {
 		char	*data;
 		int	size;
 		int	rem;
 		int	off;
-	} buf;
+	} buf[__XT_XLATE_MAX];
 	char comment[NFT_USERDATA_MAXLEN];
+	int family;
 };
 
 struct xt_xlate *xt_xlate_alloc(int size)
 {
 	struct xt_xlate *xl;
+	int i;
 
 	xl = malloc(sizeof(struct xt_xlate));
 	if (xl == NULL)
 		xtables_error(RESOURCE_PROBLEM, "OOM");
 
-	xl->buf.data = malloc(size);
-	if (xl->buf.data == NULL)
-		xtables_error(RESOURCE_PROBLEM, "OOM");
+	for (i = 0; i < __XT_XLATE_MAX; i++) {
+		xl->buf[i].data = malloc(size);
+		if (xl->buf[i].data == NULL)
+			xtables_error(RESOURCE_PROBLEM, "OOM");
 
-	xl->buf.data[0] = '\0';
-	xl->buf.size = size;
-	xl->buf.rem = size;
-	xl->buf.off = 0;
+		xl->buf[i].data[0] = '\0';
+		xl->buf[i].size = size;
+		xl->buf[i].rem = size;
+		xl->buf[i].off = 0;
+	}
 	xl->comment[0] = '\0';
 
 	return xl;
@@ -2352,23 +2362,44 @@ struct xt_xlate *xt_xlate_alloc(int size)
 
 void xt_xlate_free(struct xt_xlate *xl)
 {
-	free(xl->buf.data);
+	int i;
+
+	for (i = 0; i < __XT_XLATE_MAX; i++)
+		free(xl->buf[i].data);
+
 	free(xl);
 }
 
-void xt_xlate_add(struct xt_xlate *xl, const char *fmt, ...)
+static void __xt_xlate_add(struct xt_xlate *xl, enum xt_xlate_type type,
+			   const char *fmt, va_list ap)
 {
-	va_list ap;
+	struct xt_xlate_buf *buf = &xl->buf[type];
 	int len;
 
-	va_start(ap, fmt);
-	len = vsnprintf(xl->buf.data + xl->buf.off, xl->buf.rem, fmt, ap);
-	if (len < 0 || len >= xl->buf.rem)
+	len = vsnprintf(buf->data + buf->off, buf->rem, fmt, ap);
+	if (len < 0 || len >= buf->rem)
 		xtables_error(RESOURCE_PROBLEM, "OOM");
 
+	buf->rem -= len;
+	buf->off += len;
+}
+
+void xt_xlate_rule_add(struct xt_xlate *xl, const char *fmt, ...)
+{
+	va_list ap;
+
+	va_start(ap, fmt);
+	__xt_xlate_add(xl, XT_XLATE_RULE, fmt, ap);
+	va_end(ap);
+}
+
+void xt_xlate_set_add(struct xt_xlate *xl, const char *fmt, ...)
+{
+	va_list ap;
+
+	va_start(ap, fmt);
+	__xt_xlate_add(xl, XT_XLATE_SET, fmt, ap);
 	va_end(ap);
-	xl->buf.rem -= len;
-	xl->buf.off += len;
 }
 
 void xt_xlate_add_comment(struct xt_xlate *xl, const char *comment)
@@ -2382,7 +2413,22 @@ const char *xt_xlate_get_comment(struct xt_xlate *xl)
 	return xl->comment[0] ? xl->comment : NULL;
 }
 
+void xl_xlate_set_family(struct xt_xlate *xl, uint8_t family)
+{
+	xl->family = family;
+}
+
+uint8_t xt_xlate_get_family(struct xt_xlate *xl)
+{
+	return xl->family;
+}
+
 const char *xt_xlate_get(struct xt_xlate *xl)
 {
-	return xl->buf.data;
+	return xl->buf[XT_XLATE_RULE].data;
+}
+
+const char *xt_xlate_set_get(struct xt_xlate *xl)
+{
+	return xl->buf[XT_XLATE_SET].data;
 }
-- 
2.20.1

[PATCH iptables,v2 2/5] tests: xlate-test: support multiline expectation

[Pablo Neira Ayuso]

Extend translation test to deal with multiline translation, e.g.

iptables-translate -A INPUT -m connlimit --connlimit-above 2
nft add set ip filter connlimit0 { type ipv4_addr; flags dynamic; }
nft add rule ip filter INPUT add @connlimit0 { ip saddr ct count over 2 } counter

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 xlate-test.py | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/xlate-test.py b/xlate-test.py
index 4c014f9bd269..cba98b6e8e49 100755
--- a/xlate-test.py
+++ b/xlate-test.py
@@ -39,14 +39,21 @@ def run_test(name, payload):
     tests = passed = failed = errors = 0
     result = []
 
-    for line in payload:
+    line = payload.readline()
+    while line:
         if line.startswith(keywords):
             tests += 1
             process = Popen([ xtables_nft_multi ] + shlex.split(line), stdout=PIPE, stderr=PIPE)
             (output, error) = process.communicate()
             if process.returncode == 0:
                 translation = output.decode("utf-8").rstrip(" \n")
-                expected = next(payload).rstrip(" \n")
+                expected = payload.readline().rstrip(" \n")
+                next_expected = payload.readline().rstrip(" \n")
+                if next_expected.startswith("nft"):
+                    expected += "\n" + next_expected
+                    line = payload.readline()
+                else:
+                    line = next_expected
                 if translation != expected:
                     test_passed = False
                     failed += 1
@@ -62,6 +69,9 @@ def run_test(name, payload):
                 errors += 1
                 result.append(name + ": " + red("Error: ") + "iptables-translate failure")
                 result.append(error.decode("utf-8"))
+                line = payload.readline()
+        else:
+                line = payload.readline()
     if (passed == tests) and not args.test:
         print(name + ": " + green("OK"))
     if not test_passed:
-- 
2.20.1

[PATCH iptables,v2 3/5] extensions: libxt_connlimit: add translation

[Pablo Neira Ayuso]

This patch adds a translation for connlimit matches which requires
the definition of a set and the family context (either IPv4 or IPv6)
which is required to display the netmask accordingly.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 extensions/libxt_connlimit.c      | 49 +++++++++++++++++++++++++++++++
 extensions/libxt_connlimit.txlate | 15 ++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 extensions/libxt_connlimit.txlate

diff --git a/extensions/libxt_connlimit.c b/extensions/libxt_connlimit.c
index a569f86aa6b2..118faea560f7 100644
--- a/extensions/libxt_connlimit.c
+++ b/extensions/libxt_connlimit.c
@@ -2,6 +2,8 @@
 #include <netdb.h>
 #include <string.h>
 #include <xtables.h>
+#include <arpa/inet.h>
+
 #include <linux/netfilter/xt_connlimit.h>
 
 enum {
@@ -183,6 +185,51 @@ static void connlimit_save6(const void *ip, const struct xt_entry_match *match)
 	}
 }
 
+static int connlimit_xlate(struct xt_xlate *xl,
+			   const struct xt_xlate_mt_params *params)
+{
+	const struct xt_connlimit_info *info = (const void *)params->match->data;
+	static uint32_t connlimit_id;
+	char netmask[128] = {};
+	char addr[64] = {};
+	uint32_t mask;
+
+	switch (xt_xlate_get_family(xl)) {
+	case AF_INET:
+		mask = count_bits4(info->v4_mask);
+		if (mask != 32) {
+			struct in_addr *in = (struct in_addr *)&info->v4_mask;
+
+			inet_ntop(AF_INET, in, addr, sizeof(addr));
+			snprintf(netmask, sizeof(netmask), "and %s ", addr);
+		}
+		break;
+	case AF_INET6:
+		mask = count_bits6(info->v6_mask);
+		if (mask != 128) {
+			struct in6_addr *in6 = (struct in6_addr *)&info->v6_mask;
+
+			inet_ntop(AF_INET6, in6, addr, sizeof(addr));
+			snprintf(netmask, sizeof(netmask), "and %s ", addr);
+		}
+		break;
+	default:
+		return 0;
+	}
+
+	xt_xlate_set_add(xl, "connlimit%u { type ipv4_addr; flags dynamic; }",
+			 connlimit_id);
+	xt_xlate_rule_add(xl, "add @connlimit%u { %s %s %sct count %s%u }",
+			  connlimit_id++,
+			  xt_xlate_get_family(xl) == AF_INET ? "ip" : "ip6",
+			  info->flags & XT_CONNLIMIT_DADDR ? "daddr" : "saddr",
+			  netmask,
+			  info->flags & XT_CONNLIMIT_INVERT ? "" : "over ",
+			  info->limit);
+
+	return 1;
+}
+
 static struct xtables_match connlimit_mt_reg[] = {
 	{
 		.name          = "connlimit",
@@ -228,6 +275,7 @@ static struct xtables_match connlimit_mt_reg[] = {
 		.print         = connlimit_print4,
 		.save          = connlimit_save4,
 		.x6_options    = connlimit_opts,
+		.xlate         = connlimit_xlate,
 	},
 	{
 		.name          = "connlimit",
@@ -243,6 +291,7 @@ static struct xtables_match connlimit_mt_reg[] = {
 		.print         = connlimit_print6,
 		.save          = connlimit_save6,
 		.x6_options    = connlimit_opts,
+		.xlate         = connlimit_xlate,
 	},
 };
 
diff --git a/extensions/libxt_connlimit.txlate b/extensions/libxt_connlimit.txlate
new file mode 100644
index 000000000000..758868c4436c
--- /dev/null
+++ b/extensions/libxt_connlimit.txlate
@@ -0,0 +1,15 @@
+iptables-translate -A INPUT -m connlimit --connlimit-above 2
+nft add set ip filter connlimit0 { type ipv4_addr; flags dynamic; }
+nft add rule ip filter INPUT add @connlimit0 { ip saddr ct count over 2 } counter
+
+iptables-translate -A INPUT -m connlimit --connlimit-upto 2
+nft add set ip filter connlimit0 { type ipv4_addr; flags dynamic; }
+nft add rule ip filter INPUT add @connlimit0 { ip saddr ct count 2 } counter
+
+iptables-translate -A INPUT -m connlimit --connlimit-upto 2 --connlimit-mask 24
+nft add set ip filter connlimit0 { type ipv4_addr; flags dynamic; }
+nft add rule ip filter INPUT add @connlimit0 { ip saddr and 255.255.255.0 ct count 2 } counter
+
+iptables-translate -A INPUT -m connlimit --connlimit-upto 2 --connlimit-daddr
+nft add set ip filter connlimit0 { type ipv4_addr; flags dynamic; }
+nft add rule ip filter INPUT add @connlimit0 { ip daddr ct count 2 } counter
-- 
2.20.1

[PATCH iptables,v2 4/5] extensions: libxt_tcp: rework translation to use flags match representation

[Pablo Neira Ayuso]

Use the new flags match representation available since nftables 0.9.9
to simplify the translation.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 extensions/libxt_TCPMSS.txlate |  4 ++--
 extensions/libxt_tcp.c         | 10 +++++-----
 extensions/libxt_tcp.txlate    |  6 +++---
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/extensions/libxt_TCPMSS.txlate b/extensions/libxt_TCPMSS.txlate
index 6a64d2ce9bfd..3dbbad66c560 100644
--- a/extensions/libxt_TCPMSS.txlate
+++ b/extensions/libxt_TCPMSS.txlate
@@ -1,5 +1,5 @@
 iptables-translate -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-nft add rule ip filter FORWARD tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu
+nft add rule ip filter FORWARD tcp flags syn / syn,rst counter tcp option maxseg size set rt mtu
 
 iptables-translate -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 90
-nft add rule ip filter FORWARD tcp flags & (syn|rst) == syn counter tcp option maxseg size set 90
+nft add rule ip filter FORWARD tcp flags syn / syn,rst counter tcp option maxseg size set 90
diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
index 58f3c0a0c3c2..4bcd94630111 100644
--- a/extensions/libxt_tcp.c
+++ b/extensions/libxt_tcp.c
@@ -381,7 +381,7 @@ static void print_tcp_xlate(struct xt_xlate *xl, uint8_t flags)
 		for (i = 0; (flags & tcp_flag_names_xlate[i].flag) == 0; i++);
 
 		if (have_flag)
-			xt_xlate_add(xl, "|");
+			xt_xlate_add(xl, ",");
 
 		xt_xlate_add(xl, "%s", tcp_flag_names_xlate[i].name);
 		have_flag = 1;
@@ -435,11 +435,11 @@ static int tcp_xlate(struct xt_xlate *xl,
 		return 0;
 
 	if (tcpinfo->flg_mask || (tcpinfo->invflags & XT_TCP_INV_FLAGS)) {
-		xt_xlate_add(xl, "%stcp flags & (", space);
-		print_tcp_xlate(xl, tcpinfo->flg_mask);
-		xt_xlate_add(xl, ") %s ",
-			   tcpinfo->invflags & XT_TCP_INV_FLAGS ? "!=": "==");
+		xt_xlate_add(xl, "%stcp flags %s", space,
+			     tcpinfo->invflags & XT_TCP_INV_FLAGS ? "!= ": "");
 		print_tcp_xlate(xl, tcpinfo->flg_cmp);
+		xt_xlate_add(xl, " / ");
+		print_tcp_xlate(xl, tcpinfo->flg_mask);
 	}
 
 	return 1;
diff --git a/extensions/libxt_tcp.txlate b/extensions/libxt_tcp.txlate
index bba63324df2b..921d4af024d3 100644
--- a/extensions/libxt_tcp.txlate
+++ b/extensions/libxt_tcp.txlate
@@ -11,13 +11,13 @@ iptables-translate -I OUTPUT -p tcp --dport 1020:1023 --sport 53 -j ACCEPT
 nft insert rule ip filter OUTPUT tcp sport 53 tcp dport 1020-1023 counter accept
 
 iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
-nft add rule ip filter INPUT tcp flags & fin|ack == fin counter drop
+nft add rule ip filter INPUT tcp flags fin / fin,ack counter drop
 
 iptables-translate -A INPUT -p tcp --syn -j ACCEPT
-nft add rule ip filter INPUT tcp flags & (fin|syn|rst|ack) == syn counter accept
+nft add rule ip filter INPUT tcp flags syn / fin,syn,rst,ack counter accept
 
 iptables-translate -A INPUT -p tcp --syn --dport 80 -j ACCEPT
-nft add rule ip filter INPUT tcp dport 80 tcp flags & (fin|syn|rst|ack) == syn counter accept
+nft add rule ip filter INPUT tcp dport 80 tcp flags syn / fin,syn,rst,ack counter accept
 
 iptables-translate -A INPUT -f -p tcp
 nft add rule ip filter INPUT ip frag-off & 0x1fff != 0 ip protocol tcp counter
-- 
2.20.1

[PATCH iptables,v2 5/5] extensions: libxt_conntrack: simplify translation using negation

[Pablo Neira Ayuso]

Available since nftables 0.9.9. For example:

 # iptables-translate -I INPUT -m state ! --state NEW,INVALID
 nft insert rule ip filter INPUT ct state ! invalid,new  counter

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 extensions/libxt_conntrack.c      | 46 +++++++++----------------------
 extensions/libxt_conntrack.txlate |  8 +++---
 2 files changed, 17 insertions(+), 37 deletions(-)

diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index 7f7b45ee1f82..64018ce152b7 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -1151,40 +1151,30 @@ static void state_save(const void *ip, const struct xt_entry_match *match)
 static void state_xlate_print(struct xt_xlate *xl, unsigned int statemask, int inverted)
 {
 	const char *sep = "";
-	int one_flag_set;
 
-	one_flag_set = !(statemask & (statemask - 1));
-
-	if (inverted && !one_flag_set)
-		xt_xlate_add(xl, "& (");
-	else if (inverted)
-		xt_xlate_add(xl, "& ");
+	if (inverted)
+		xt_xlate_add(xl, "! ");
 
 	if (statemask & XT_CONNTRACK_STATE_INVALID) {
 		xt_xlate_add(xl, "%s%s", sep, "invalid");
-		sep = inverted && !one_flag_set ? "|" : ",";
+		sep = ",";
 	}
 	if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_NEW)) {
 		xt_xlate_add(xl, "%s%s", sep, "new");
-		sep = inverted && !one_flag_set ? "|" : ",";
+		sep = ",";
 	}
 	if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_RELATED)) {
 		xt_xlate_add(xl, "%s%s", sep, "related");
-		sep = inverted && !one_flag_set ? "|" : ",";
+		sep = ",";
 	}
 	if (statemask & XT_CONNTRACK_STATE_BIT(IP_CT_ESTABLISHED)) {
 		xt_xlate_add(xl, "%s%s", sep, "established");
-		sep = inverted && !one_flag_set ? "|" : ",";
+		sep = ",";
 	}
 	if (statemask & XT_CONNTRACK_STATE_UNTRACKED) {
 		xt_xlate_add(xl, "%s%s", sep, "untracked");
-		sep = inverted && !one_flag_set ? "|" : ",";
+		sep = ",";
 	}
-
-	if (inverted && !one_flag_set)
-		xt_xlate_add(xl, ") == 0");
-	else if (inverted)
-		xt_xlate_add(xl, " == 0");
 }
 
 static int state_xlate(struct xt_xlate *xl,
@@ -1203,36 +1193,26 @@ static int state_xlate(struct xt_xlate *xl,
 static void status_xlate_print(struct xt_xlate *xl, unsigned int statusmask, int inverted)
 {
 	const char *sep = "";
-	int one_flag_set;
 
-	one_flag_set = !(statusmask & (statusmask - 1));
-
-	if (inverted && !one_flag_set)
-		xt_xlate_add(xl, "& (");
-	else if (inverted)
-		xt_xlate_add(xl, "& ");
+	if (inverted)
+		xt_xlate_add(xl, "! ");
 
 	if (statusmask & IPS_EXPECTED) {
 		xt_xlate_add(xl, "%s%s", sep, "expected");
-		sep = inverted && !one_flag_set ? "|" : ",";
+		sep = ",";
 	}
 	if (statusmask & IPS_SEEN_REPLY) {
 		xt_xlate_add(xl, "%s%s", sep, "seen-reply");
-		sep = inverted && !one_flag_set ? "|" : ",";
+		sep = ",";
 	}
 	if (statusmask & IPS_ASSURED) {
 		xt_xlate_add(xl, "%s%s", sep, "assured");
-		sep = inverted && !one_flag_set ? "|" : ",";
+		sep = ",";
 	}
 	if (statusmask & IPS_CONFIRMED) {
 		xt_xlate_add(xl, "%s%s", sep, "confirmed");
-		sep = inverted && !one_flag_set ? "|" : ",";
+		sep = ",";
 	}
-
-	if (inverted && !one_flag_set)
-		xt_xlate_add(xl, ") == 0");
-	else if (inverted)
-		xt_xlate_add(xl, " == 0");
 }
 
 static void addr_xlate_print(struct xt_xlate *xl,
diff --git a/extensions/libxt_conntrack.txlate b/extensions/libxt_conntrack.txlate
index 8cc7c504ab4b..45fba984ba96 100644
--- a/extensions/libxt_conntrack.txlate
+++ b/extensions/libxt_conntrack.txlate
@@ -2,10 +2,10 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW,RELATED -j ACCE
 nft add rule ip filter INPUT ct state new,related counter accept
 
 ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW,RELATED -j ACCEPT
-nft add rule ip6 filter INPUT ct state & (new|related) == 0 counter accept
+nft add rule ip6 filter INPUT ct state ! new,related counter accept
 
 ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW -j ACCEPT
-nft add rule ip6 filter INPUT ct state & new == 0 counter accept
+nft add rule ip6 filter INPUT ct state ! new counter accept
 
 iptables-translate -t filter -A INPUT -m conntrack --ctproto UDP -j ACCEPT
 nft add rule ip filter INPUT ct original protocol 17 counter accept
@@ -35,10 +35,10 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstatus EXPECTED -j ACCEPT
 nft add rule ip filter INPUT ct status expected counter accept
 
 iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT
-nft add rule ip filter INPUT ct status & confirmed == 0 counter accept
+nft add rule ip filter INPUT ct status ! confirmed counter accept
 
 iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED,ASSURED -j ACCEPT
-nft add rule ip filter INPUT ct status & (assured|confirmed) == 0 counter accept
+nft add rule ip filter INPUT ct status ! assured,confirmed counter accept
 
 iptables-translate -t filter -A INPUT -m conntrack --ctstatus CONFIRMED,ASSURED -j ACCEPT
 nft add rule ip filter INPUT ct status assured,confirmed counter accept
-- 
2.20.1