From 2fb92babbf460de158cc435f66c46f0642763193 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Fri, 4 Mar 2022 12:50:01 +0100 Subject: [PATCH] libxtables: Boost rule target checks by announcing chain names When restoring a ruleset, feed libxtables with chain names from respective lines to avoid an extension search. While the user's intention is clear, this effectively disables the sanity check for clashes with target extensions. But: * The check yielded only a warning and the clashing chain was finally accepted. * Users crafting iptables dumps for feeding into iptables-restore likely know what they're doing. Signed-off-by: Phil Sutter Acked-by: Florian Westphal (cherry picked from commit ac4c84cc63d3cc021ca532692885a644fcde4518) --- include/xtables.h | 3 +++ iptables/iptables-restore.c | 1 + iptables/xtables-restore.c | 1 + libxtables/xtables.c | 6 ++++++ 4 files changed, 11 insertions(+) diff --git a/include/xtables.h b/include/xtables.h index a7b36979398ba..3c0d0f78e8d1a 100644 --- a/include/xtables.h +++ b/include/xtables.h @@ -633,6 +633,9 @@ void xt_xlate_add_comment(struct xt_xlate *xl, const char *comment); const char *xt_xlate_get_comment(struct xt_xlate *xl); const char *xt_xlate_get(struct xt_xlate *xl); +/* informed target lookups */ +void xtables_announce_chain(const char *name); + #ifdef XTABLES_INTERNAL /* Shipped modules rely on this... */ diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c index cc2c2b8b10086..a34d95015c93c 100644 --- a/iptables/iptables-restore.c +++ b/iptables/iptables-restore.c @@ -311,6 +311,7 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb, cb->ops->strerror(errno)); } + xtables_announce_chain(chain); ret = 1; } else if (in_table) { diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c index 5d0e44843b285..b3c8dbaa7e2cc 100644 --- a/iptables/xtables-restore.c +++ b/iptables/xtables-restore.c @@ -156,6 +156,7 @@ static void xtables_restore_parse_line(struct nft_handle *h, "%s: line %u chain name invalid\n", xt_params->program_name, line); + xtables_announce_chain(chain); assert_valid_chain_name(chain); policy = strtok(NULL, " \t\n"); diff --git a/libxtables/xtables.c b/libxtables/xtables.c index b2b3eddf78dbc..803551053c15f 100644 --- a/libxtables/xtables.c +++ b/libxtables/xtables.c @@ -308,6 +308,12 @@ static void notargets_hlist_insert(const char *name) hlist_add_head(&cur->node, ¬argets[djb_hash(name) % NOTARGET_HSIZE]); } +void xtables_announce_chain(const char *name) +{ + if (!notargets_hlist_lookup(name)) + notargets_hlist_insert(name); +} + void xtables_init(void) { xtables_libdir = getenv("XTABLES_LIBDIR"); -- 2.40.0