a556128cb3
- libxtables: Boost rule target checks by announcing chain names - libxtables: Implement notargets hash table - nft: Reject standard targets as chain names when restoring - xshared: Merge and share parse_chain() - xshared: Prefer xtables_chain_protos lookup over getprotoent - nft: Speed up immediate parsing - nft: Simplify immediate parsing Resolves: rhbz#2065330
87 lines
2.7 KiB
Diff
87 lines
2.7 KiB
Diff
From 2b17d7f73969459ee0d6503f10ac4122452431d1 Mon Sep 17 00:00:00 2001
|
|
From: Phil Sutter <phil@nwl.cc>
|
|
Date: Fri, 4 Mar 2022 12:50:01 +0100
|
|
Subject: [PATCH] libxtables: Boost rule target checks by announcing chain
|
|
names
|
|
|
|
When restoring a ruleset, feed libxtables with chain names from
|
|
respective lines to avoid an extension search.
|
|
|
|
While the user's intention is clear, this effectively disables the
|
|
sanity check for clashes with target extensions. But:
|
|
|
|
* The check yielded only a warning and the clashing chain was finally
|
|
accepted.
|
|
|
|
* Users crafting iptables dumps for feeding into iptables-restore likely
|
|
know what they're doing.
|
|
|
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Acked-by: Florian Westphal <fw@strlen.de>
|
|
(cherry picked from commit ac4c84cc63d3cc021ca532692885a644fcde4518)
|
|
---
|
|
include/xtables.h | 3 +++
|
|
iptables/iptables-restore.c | 1 +
|
|
iptables/xtables-restore.c | 1 +
|
|
libxtables/xtables.c | 6 ++++++
|
|
4 files changed, 11 insertions(+)
|
|
|
|
diff --git a/include/xtables.h b/include/xtables.h
|
|
index 107ad7d65e6fc..b5a6764abfa4e 100644
|
|
--- a/include/xtables.h
|
|
+++ b/include/xtables.h
|
|
@@ -637,6 +637,9 @@ void xt_xlate_add_comment(struct xt_xlate *xl, const char *comment);
|
|
const char *xt_xlate_get_comment(struct xt_xlate *xl);
|
|
const char *xt_xlate_get(struct xt_xlate *xl);
|
|
|
|
+/* informed target lookups */
|
|
+void xtables_announce_chain(const char *name);
|
|
+
|
|
#ifdef XTABLES_INTERNAL
|
|
|
|
/* Shipped modules rely on this... */
|
|
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
|
|
index cc2c2b8b10086..a34d95015c93c 100644
|
|
--- a/iptables/iptables-restore.c
|
|
+++ b/iptables/iptables-restore.c
|
|
@@ -311,6 +311,7 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb,
|
|
cb->ops->strerror(errno));
|
|
}
|
|
|
|
+ xtables_announce_chain(chain);
|
|
ret = 1;
|
|
|
|
} else if (in_table) {
|
|
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
|
|
index 074efeab0b4e7..7e347e49aaaaa 100644
|
|
--- a/iptables/xtables-restore.c
|
|
+++ b/iptables/xtables-restore.c
|
|
@@ -155,6 +155,7 @@ static void xtables_restore_parse_line(struct nft_handle *h,
|
|
"%s: line %u chain name invalid\n",
|
|
xt_params->program_name, line);
|
|
|
|
+ xtables_announce_chain(chain);
|
|
assert_valid_chain_name(chain);
|
|
|
|
policy = strtok(NULL, " \t\n");
|
|
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
|
|
index e8e900e869e1e..64d347e6ed434 100644
|
|
--- a/libxtables/xtables.c
|
|
+++ b/libxtables/xtables.c
|
|
@@ -308,6 +308,12 @@ static void notargets_hlist_insert(const char *name)
|
|
hlist_add_head(&cur->node, ¬argets[djb_hash(name) % NOTARGET_HSIZE]);
|
|
}
|
|
|
|
+void xtables_announce_chain(const char *name)
|
|
+{
|
|
+ if (!notargets_hlist_lookup(name))
|
|
+ notargets_hlist_insert(name);
|
|
+}
|
|
+
|
|
void xtables_init(void)
|
|
{
|
|
xtables_libdir = getenv("XTABLES_LIBDIR");
|
|
--
|
|
2.34.1
|
|
|