From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Williams Subject: [PATCH v3] libiptc: don't set_changed() when checking rules with module jumps Date: Sat, 25 Feb 2017 22:02:03 -0600 Message-ID: <1488081723.31061.5.camel@redhat.com> References: <1487960119.27698.11.camel@redhat.com> <1487960755.27698.15.camel@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit To: netfilter-devel@vger.kernel.org Return-path: Received: from mx1.redhat.com ([209.132.183.28]:47102 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751890AbdBZEDu (ORCPT ); Sat, 25 Feb 2017 23:03:50 -0500 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 580AA83F40 for ; Sun, 26 Feb 2017 04:02:06 +0000 (UTC) Received: from ovpn-112-18.phx2.redhat.com (ovpn-112-18.phx2.redhat.com [10.3.112.18]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1Q424Vg017558 for ; Sat, 25 Feb 2017 23:02:05 -0500 In-Reply-To: <1487960755.27698.15.camel@redhat.com> Sender: netfilter-devel-owner@vger.kernel.org List-ID: Checking a rule that includes a jump to a module-based target currently sets the "changed" flag on the handle, which then causes TC_COMMIT() to run through the whole SO_SET_REPLACE/SO_SET_ADD_COUNTERS path. This seems wrong for simply checking rules, an operation which is documented as "...does not alter the existing iptables configuration..." but yet it clearly could do so. Fix that by ensuring that rule check operations for module targets don't set the changed flag, and thus exit early from TC_COMMIT(). Signed-off-by: Dan Williams --- libiptc/libiptc.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c index 2c66d04..a6e7057 100644 --- a/libiptc/libiptc.c +++ b/libiptc/libiptc.c @@ -1686,7 +1686,8 @@ iptcc_standard_map(struct rule_head *r, int verdict) static int iptcc_map_target(struct xtc_handle *const handle, - struct rule_head *r) + struct rule_head *r, + bool dry_run) { STRUCT_ENTRY *e = r->entry; STRUCT_ENTRY_TARGET *t = GET_TARGET(e); @@ -1731,7 +1732,8 @@ iptcc_map_target(struct xtc_handle *const handle, 0, FUNCTION_MAXNAMELEN - 1 - strlen(t->u.user.name)); r->type = IPTCC_R_MODULE; - set_changed(handle); + if (!dry_run) + set_changed(handle); return 1; } @@ -1781,7 +1783,7 @@ TC_INSERT_ENTRY(const IPT_CHAINLABEL chain, memcpy(r->entry, e, e->next_offset); r->counter_map.maptype = COUNTER_MAP_SET; - if (!iptcc_map_target(handle, r)) { + if (!iptcc_map_target(handle, r, false)) { free(r); return 0; } @@ -1831,7 +1833,7 @@ TC_REPLACE_ENTRY(const IPT_CHAINLABEL chain, memcpy(r->entry, e, e->next_offset); r->counter_map.maptype = COUNTER_MAP_SET; - if (!iptcc_map_target(handle, r)) { + if (!iptcc_map_target(handle, r, false)) { free(r); return 0; } @@ -1870,7 +1872,7 @@ TC_APPEND_ENTRY(const IPT_CHAINLABEL chain, memcpy(r->entry, e, e->next_offset); r->counter_map.maptype = COUNTER_MAP_SET; - if (!iptcc_map_target(handle, r)) { + if (!iptcc_map_target(handle, r, false)) { DEBUGP("unable to map target of rule for chain `%s'\n", chain); free(r); return 0; @@ -1976,7 +1978,7 @@ static int delete_entry(const IPT_CHAINLABEL chain, const STRUCT_ENTRY *origfw, memcpy(r->entry, origfw, origfw->next_offset); r->counter_map.maptype = COUNTER_MAP_NOMAP; - if (!iptcc_map_target(handle, r)) { + if (!iptcc_map_target(handle, r, dry_run)) { DEBUGP("unable to map target of rule for chain `%s'\n", chain); free(r); return 0; -- 2.9.3