From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Phil Sutter <phil@nwl.cc>,
Arturo Borrero Gonzalez <arturo@netfilter.org>,
netfilter-devel@vger.kernel.org
Subject: Re: [iptables PATCH] iptables-nft: fix basechain policy configuration
Date: Fri, 2 Oct 2020 14:47:41 +0200 [thread overview]
Message-ID: <20201002124741.GA2232@salvia> (raw)
In-Reply-To: <20201002122852.GC29050@orbyte.nwl.cc>
On Fri, Oct 02, 2020 at 02:28:52PM +0200, Phil Sutter wrote:
> On Fri, Oct 02, 2020 at 02:15:58PM +0200, Pablo Neira Ayuso wrote:
> > On Fri, Oct 02, 2020 at 02:07:32PM +0200, Phil Sutter wrote:
> > > Hi,
> > >
> > > On Fri, Oct 02, 2020 at 01:44:36PM +0200, Arturo Borrero Gonzalez wrote:
> > > > Previous to this patch, the basechain policy could not be properly configured if it wasn't
> > > > explictly set when loading the ruleset, leading to iptables-nft-restore (and ip6tables-nft-restore)
> > > > trying to send an invalid ruleset to the kernel.
> > >
> > > I fear this is not sufficient: iptables-legacy-restore leaves the
> > > previous chain policy in place if '-' is given in dump file. Please try
> > > this snippet from a testcase I wrote:
> > >
> > > $XT_MULTI iptables -P FORWARD DROP
> > >
> > > diff -u -Z <($XT_MULTI iptables-save | grep '^:FORWARD') \
> > > <(echo ":FORWARD DROP [0:0]")
> > >
> > > $XT_MULTI iptables-restore -c <<< "$TEST_RULESET"
> > > diff -u -Z <($XT_MULTI iptables-save | grep '^:FORWARD') \
> > > <(echo ":FORWARD DROP [0:0]")
> >
> > Hm, this is how it works in this patch right?
> >
> > I mean, if '-' is given, chain policy attribute in the netlink message
> > is not set, and the kernel sets chain policy to
> > NFT_CHAIN_POLICY_UNSET.
> >
> > Or am I missing anything?
>
> This is *flushing* iptables-restore. We're dropping the chain first and
> then reinstall it.
OK, so this fix only works with --noflush.
If --noflush is not specified, then it should be possible to extend
the cache to dump the chains, get the existing policy and use it.
There is now a phase to evaluate the cache requirements, so you can
fetch this. Then, from the netlink phase, look up for the existing
policy in the cache and use it.
> Another quirk is that iptables-legacy-restore ignores the counters if
> policy is '-' even if --counters flag was given. (:
OK, so this needs two more fixed on top of this one.
next prev parent reply other threads:[~2020-10-02 12:48 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-02 11:44 [iptables PATCH] iptables-nft: fix basechain policy configuration Arturo Borrero Gonzalez
2020-10-02 12:07 ` Phil Sutter
2020-10-02 12:15 ` Pablo Neira Ayuso
2020-10-02 12:28 ` Phil Sutter
2020-10-02 12:47 ` Pablo Neira Ayuso [this message]
2020-10-02 13:31 ` Phil Sutter
2020-10-02 14:39 ` Pablo Neira Ayuso
2020-10-08 17:31 ` Pablo Neira Ayuso
2020-10-09 8:29 ` Phil Sutter
2020-10-09 8:50 ` Pablo Neira Ayuso
2020-10-09 9:37 ` Phil Sutter
2020-10-09 10:07 ` Reindl Harald
2020-10-09 10:14 ` Phil Sutter
2020-10-09 10:28 ` Reindl Harald
2020-10-09 10:37 ` Jozsef Kadlecsik
2020-10-09 12:04 ` Phil Sutter
2020-10-09 19:05 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201002124741.GA2232@salvia \
--to=pablo@netfilter.org \
--cc=arturo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.