144 lines
4.7 KiB
Diff
144 lines
4.7 KiB
Diff
|
From b7556207b12decbe4e79bf218ec5bff073a04ad2 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Phil Sutter <phil@nwl.cc>
|
||
|
|
Date: Tue, 27 Nov 2018 20:07:11 +0100
|
||
|
|
Subject: [PATCH] xtables: Don't use native nftables comments
|
||
|
|
|
||
|
|
The problem with converting libxt_comment into nftables comment is that
|
||
|
|
rules change when parsing from kernel due to comment match being moved
|
||
|
|
to the end of the match list. And since match ordering matters, the rule
|
||
|
|
may not be found anymore when checking or deleting. Apart from that,
|
||
|
|
iptables-nft didn't support multiple comments per rule anymore. This is
|
||
|
|
a compatibility issue without technical reason.
|
||
|
|
|
||
|
|
Leave conversion from nftables comment to libxt_comment in place so we
|
||
|
|
don't break running systems during an update.
|
||
|
|
|
||
|
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||
|
|
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||
|
|
(cherry picked from commit ccf154d7420c07b6e6febc1c3b8b31d2bd1adbe6)
|
||
|
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||
|
|
---
|
||
|
|
extensions/libxt_comment.t | 2 ++
|
||
|
|
iptables/nft-ipv4.c | 14 +++-----------
|
||
|
|
iptables/nft-ipv6.c | 14 +++-----------
|
||
|
|
iptables/nft.c | 27 ---------------------------
|
||
|
|
iptables/nft.h | 1 -
|
||
|
|
5 files changed, 8 insertions(+), 50 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/extensions/libxt_comment.t b/extensions/libxt_comment.t
|
||
|
|
index f12cd66841e7f..f0c8fb999401b 100644
|
||
|
|
--- a/extensions/libxt_comment.t
|
||
|
|
+++ b/extensions/libxt_comment.t
|
||
|
|
@@ -1,6 +1,8 @@
|
||
|
|
:INPUT,FORWARD,OUTPUT
|
||
|
|
-m comment;;FAIL
|
||
|
|
-m comment --comment;;FAIL
|
||
|
|
+-p tcp -m tcp --dport 22 -m comment --comment foo;=;OK
|
||
|
|
+-p tcp -m comment --comment foo -m tcp --dport 22;=;OK
|
||
|
|
#
|
||
|
|
# it fails with 256 characters
|
||
|
|
#
|
||
|
|
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
|
||
|
|
index ffb439b4a1128..4497eb9b9347c 100644
|
||
|
|
--- a/iptables/nft-ipv4.c
|
||
|
|
+++ b/iptables/nft-ipv4.c
|
||
|
|
@@ -77,17 +77,9 @@ static int nft_ipv4_add(struct nftnl_rule *r, void *data)
|
||
|
|
add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags & XT_INV_PROTO);
|
||
|
|
|
||
|
|
for (matchp = cs->matches; matchp; matchp = matchp->next) {
|
||
|
|
- /* Use nft built-in comments support instead of comment match */
|
||
|
|
- if (strcmp(matchp->match->name, "comment") == 0) {
|
||
|
|
- ret = add_comment(r, (char *)matchp->match->m->data);
|
||
|
|
- if (ret < 0)
|
||
|
|
- goto try_match;
|
||
|
|
- } else {
|
||
|
|
-try_match:
|
||
|
|
- ret = add_match(r, matchp->match->m);
|
||
|
|
- if (ret < 0)
|
||
|
|
- return ret;
|
||
|
|
- }
|
||
|
|
+ ret = add_match(r, matchp->match->m);
|
||
|
|
+ if (ret < 0)
|
||
|
|
+ return ret;
|
||
|
|
}
|
||
|
|
|
||
|
|
/* Counters need to me added before the target, otherwise they are
|
||
|
|
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
|
||
|
|
index 7bacee4ab3a21..cacb1c9e141f2 100644
|
||
|
|
--- a/iptables/nft-ipv6.c
|
||
|
|
+++ b/iptables/nft-ipv6.c
|
||
|
|
@@ -66,17 +66,9 @@ static int nft_ipv6_add(struct nftnl_rule *r, void *data)
|
||
|
|
add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags & XT_INV_PROTO);
|
||
|
|
|
||
|
|
for (matchp = cs->matches; matchp; matchp = matchp->next) {
|
||
|
|
- /* Use nft built-in comments support instead of comment match */
|
||
|
|
- if (strcmp(matchp->match->name, "comment") == 0) {
|
||
|
|
- ret = add_comment(r, (char *)matchp->match->m->data);
|
||
|
|
- if (ret < 0)
|
||
|
|
- goto try_match;
|
||
|
|
- } else {
|
||
|
|
-try_match:
|
||
|
|
- ret = add_match(r, matchp->match->m);
|
||
|
|
- if (ret < 0)
|
||
|
|
- return ret;
|
||
|
|
- }
|
||
|
|
+ ret = add_match(r, matchp->match->m);
|
||
|
|
+ if (ret < 0)
|
||
|
|
+ return ret;
|
||
|
|
}
|
||
|
|
|
||
|
|
/* Counters need to me added before the target, otherwise they are
|
||
|
|
diff --git a/iptables/nft.c b/iptables/nft.c
|
||
|
|
index e8538d38e0109..6863d851e44c2 100644
|
||
|
|
--- a/iptables/nft.c
|
||
|
|
+++ b/iptables/nft.c
|
||
|
|
@@ -1107,33 +1107,6 @@ enum udata_type {
|
||
|
|
};
|
||
|
|
#define UDATA_TYPE_MAX (__UDATA_TYPE_MAX - 1)
|
||
|
|
|
||
|
|
-int add_comment(struct nftnl_rule *r, const char *comment)
|
||
|
|
-{
|
||
|
|
- struct nftnl_udata_buf *udata;
|
||
|
|
- uint32_t len;
|
||
|
|
-
|
||
|
|
- if (nftnl_rule_get_data(r, NFTNL_RULE_USERDATA, &len))
|
||
|
|
- return -EALREADY;
|
||
|
|
-
|
||
|
|
- udata = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN);
|
||
|
|
- if (!udata)
|
||
|
|
- return -ENOMEM;
|
||
|
|
-
|
||
|
|
- if (strnlen(comment, 255) == 255)
|
||
|
|
- return -ENOSPC;
|
||
|
|
-
|
||
|
|
- if (!nftnl_udata_put_strz(udata, UDATA_TYPE_COMMENT, comment))
|
||
|
|
- return -ENOMEM;
|
||
|
|
-
|
||
|
|
- nftnl_rule_set_data(r, NFTNL_RULE_USERDATA,
|
||
|
|
- nftnl_udata_buf_data(udata),
|
||
|
|
- nftnl_udata_buf_len(udata));
|
||
|
|
-
|
||
|
|
- nftnl_udata_buf_free(udata);
|
||
|
|
-
|
||
|
|
- return 0;
|
||
|
|
-}
|
||
|
|
-
|
||
|
|
static int parse_udata_cb(const struct nftnl_udata *attr, void *data)
|
||
|
|
{
|
||
|
|
unsigned char *value = nftnl_udata_get(attr);
|
||
|
|
diff --git a/iptables/nft.h b/iptables/nft.h
|
||
|
|
index 9b4ba5f9a63eb..052105fc6f3cd 100644
|
||
|
|
--- a/iptables/nft.h
|
||
|
|
+++ b/iptables/nft.h
|
||
|
|
@@ -116,7 +116,6 @@ int add_match(struct nftnl_rule *r, struct xt_entry_match *m);
|
||
|
|
int add_target(struct nftnl_rule *r, struct xt_entry_target *t);
|
||
|
|
int add_jumpto(struct nftnl_rule *r, const char *name, int verdict);
|
||
|
|
int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set);
|
||
|
|
-int add_comment(struct nftnl_rule *r, const char *comment);
|
||
|
|
char *get_comment(const void *data, uint32_t data_len);
|
||
|
|
|
||
|
|
enum nft_rule_print {
|
||
|
|
--
|
||
|
|
2.21.0
|
||
|
|
|