[iptables PATCH] xtables-translate: Fix for iface++

[iptables PATCH] xtables-translate: Fix for iface++

[Phil Sutter]

In legacy iptables, only the last plus sign remains special, any
previous ones are taken literally. Therefore xtables-translate must not
replace all of them with asterisk but just the last one.

Fixes: e179e87a1179e ("xtables-translate: Fix for interface name corner-cases")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 extensions/generic.txlate    | 4 ++++
 iptables/xtables-translate.c | 6 +++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/extensions/generic.txlate b/extensions/generic.txlate
index c92d082abea78..0e256c3727559 100644
--- a/extensions/generic.txlate
+++ b/extensions/generic.txlate
@@ -23,6 +23,10 @@ nft insert rule bridge filter INPUT ether type 0x800 ether daddr 01:02:03:04:00:
 iptables-translate -A FORWARD -i '*' -o 'eth*foo'
 nft add rule ip filter FORWARD iifname "\*" oifname "eth\*foo" counter
 
+# escape all asterisks but translate only the first plus character
+iptables-translate -A FORWARD -i 'eth*foo*+' -o 'eth++'
+nft add rule ip filter FORWARD iifname "eth\*foo\**" oifname "eth+*" counter
+
 # skip for always matching interface names
 iptables-translate -A FORWARD -i '+'
 nft add rule ip filter FORWARD counter
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index c4e177c0d63ba..0f95855b41aa4 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -40,9 +40,6 @@ void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname,
 
 	for (i = 0, j = 0; i < ifaclen + 1; i++, j++) {
 		switch (ifname[i]) {
-		case '+':
-			iface[j] = '*';
-			break;
 		case '*':
 			iface[j++] = '\\';
 			/* fall through */
@@ -65,6 +62,9 @@ void xlate_ifname(struct xt_xlate *xl, const char *nftmeta, const char *ifname,
 		invert = false;
 	}
 
+	if (iface[j - 2] == '+')
+		iface[j - 2] = '*';
+
 	xt_xlate_add(xl, "%s %s\"%s\" ", nftmeta, invert ? "!= " : "", iface);
 }
 
-- 
2.24.1

Re: [iptables PATCH] xtables-translate: Fix for iface++

[Pablo Neira Ayuso]

On Thu, Feb 13, 2020 at 02:04:36PM +0100, Phil Sutter wrote:
> In legacy iptables, only the last plus sign remains special, any
> previous ones are taken literally. Therefore xtables-translate must not
> replace all of them with asterisk but just the last one.

Interesting corner case.

LGTM.

Re: [iptables PATCH] xtables-translate: Fix for iface++

[Phil Sutter]

Hi Pablo,

On Fri, Feb 14, 2020 at 10:00:24AM +0100, Pablo Neira Ayuso wrote:
> On Thu, Feb 13, 2020 at 02:04:36PM +0100, Phil Sutter wrote:
> > In legacy iptables, only the last plus sign remains special, any
> > previous ones are taken literally. Therefore xtables-translate must not
> > replace all of them with asterisk but just the last one.
> 
> Interesting corner case.

I'm merely fixing the bugs I introduced earlier - old code (prior to my
initial fix for translating '+' as interface name) did it right,
considering only the last character for wildcard substitution and
leaving any earlier '+' chars in place. :)

Cheers, Phil