[PATCH iptables,v2 4/5] extensions: libxt_tcp: rework translation to use flags match representation

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH iptables,v2 4/5] extensions: libxt_tcp: rework translation to use flags match representation
Date: Fri,  4 Jun 2021 00:58:05 +0200	[thread overview]
Message-ID: <20210603225806.13625-5-pablo@netfilter.org> (raw)
In-Reply-To: <20210603225806.13625-1-pablo@netfilter.org>

Use the new flags match representation available since nftables 0.9.9
to simplify the translation.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 extensions/libxt_TCPMSS.txlate |  4 ++--
 extensions/libxt_tcp.c         | 10 +++++-----
 extensions/libxt_tcp.txlate    |  6 +++---
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/extensions/libxt_TCPMSS.txlate b/extensions/libxt_TCPMSS.txlate
index 6a64d2ce9bfd..3dbbad66c560 100644
--- a/extensions/libxt_TCPMSS.txlate
+++ b/extensions/libxt_TCPMSS.txlate
@@ -1,5 +1,5 @@
 iptables-translate -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-nft add rule ip filter FORWARD tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu
+nft add rule ip filter FORWARD tcp flags syn / syn,rst counter tcp option maxseg size set rt mtu
 
 iptables-translate -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 90
-nft add rule ip filter FORWARD tcp flags & (syn|rst) == syn counter tcp option maxseg size set 90
+nft add rule ip filter FORWARD tcp flags syn / syn,rst counter tcp option maxseg size set 90
diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c
index 58f3c0a0c3c2..4bcd94630111 100644
--- a/extensions/libxt_tcp.c
+++ b/extensions/libxt_tcp.c
@@ -381,7 +381,7 @@ static void print_tcp_xlate(struct xt_xlate *xl, uint8_t flags)
 		for (i = 0; (flags & tcp_flag_names_xlate[i].flag) == 0; i++);
 
 		if (have_flag)
-			xt_xlate_add(xl, "|");
+			xt_xlate_add(xl, ",");
 
 		xt_xlate_add(xl, "%s", tcp_flag_names_xlate[i].name);
 		have_flag = 1;
@@ -435,11 +435,11 @@ static int tcp_xlate(struct xt_xlate *xl,
 		return 0;
 
 	if (tcpinfo->flg_mask || (tcpinfo->invflags & XT_TCP_INV_FLAGS)) {
-		xt_xlate_add(xl, "%stcp flags & (", space);
-		print_tcp_xlate(xl, tcpinfo->flg_mask);
-		xt_xlate_add(xl, ") %s ",
-			   tcpinfo->invflags & XT_TCP_INV_FLAGS ? "!=": "==");
+		xt_xlate_add(xl, "%stcp flags %s", space,
+			     tcpinfo->invflags & XT_TCP_INV_FLAGS ? "!= ": "");
 		print_tcp_xlate(xl, tcpinfo->flg_cmp);
+		xt_xlate_add(xl, " / ");
+		print_tcp_xlate(xl, tcpinfo->flg_mask);
 	}
 
 	return 1;
diff --git a/extensions/libxt_tcp.txlate b/extensions/libxt_tcp.txlate
index bba63324df2b..921d4af024d3 100644
--- a/extensions/libxt_tcp.txlate
+++ b/extensions/libxt_tcp.txlate
@@ -11,13 +11,13 @@ iptables-translate -I OUTPUT -p tcp --dport 1020:1023 --sport 53 -j ACCEPT
 nft insert rule ip filter OUTPUT tcp sport 53 tcp dport 1020-1023 counter accept
 
 iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
-nft add rule ip filter INPUT tcp flags & fin|ack == fin counter drop
+nft add rule ip filter INPUT tcp flags fin / fin,ack counter drop
 
 iptables-translate -A INPUT -p tcp --syn -j ACCEPT
-nft add rule ip filter INPUT tcp flags & (fin|syn|rst|ack) == syn counter accept
+nft add rule ip filter INPUT tcp flags syn / fin,syn,rst,ack counter accept
 
 iptables-translate -A INPUT -p tcp --syn --dport 80 -j ACCEPT
-nft add rule ip filter INPUT tcp dport 80 tcp flags & (fin|syn|rst|ack) == syn counter accept
+nft add rule ip filter INPUT tcp dport 80 tcp flags syn / fin,syn,rst,ack counter accept
 
 iptables-translate -A INPUT -f -p tcp
 nft add rule ip filter INPUT ip frag-off & 0x1fff != 0 ip protocol tcp counter
-- 
2.20.1

