netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH] libxtables: duplicated loopback address via host_to_ipaddr()
Date: Wed,  8 Mar 2017 15:33:04 +0100	[thread overview]
Message-ID: <1488983584-26091-1-git-send-email-pablo@netfilter.org> (raw)

Originally reported as a iptables-translate problem, but this also
affects iptables and ip6tables.

 $ iptables-translate -A INPUT -s localhost -j ACCEPT

gives duplicated rules:

 nft add rule ip filter INPUT ip saddr 127.0.0.1 counter accept
 nft add rule ip filter INPUT ip saddr 127.0.0.1 counter accept

This handling sucks, but libc seem to need if we have 127.0.0.1 and ::1
entries in /etc/hosts that are common in many distros.

For more info, see:

https://sourceware.org/bugzilla/show_bug.cgi?id=4980
https://bugzilla.redhat.com/show_bug.cgi?id=496300

Reported-by: Alexander Alemayhu <alexander@alemayhu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
What a beauty...

 libxtables/xtables.c | 40 ++++++++++++++++++++++++++++++++++++----
 1 file changed, 36 insertions(+), 4 deletions(-)

diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index d43f97066ea9..80b00420e039 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -1358,12 +1358,18 @@ static struct in_addr *network_to_ipaddr(const char *name)
 	return NULL;
 }
 
+static const struct in_addr *addrinfo_get_sin_addr(const struct addrinfo *addr)
+{
+	return &((const struct sockaddr_in *)addr->ai_addr)->sin_addr;
+}
+
 static struct in_addr *host_to_ipaddr(const char *name, unsigned int *naddr)
 {
 	struct in_addr *addr;
 	struct addrinfo hints;
 	struct addrinfo *res, *p;
 	int err;
+	bool loopback_seen;
 	unsigned int i;
 
 	memset(&hints, 0, sizeof(hints));
@@ -1375,13 +1381,39 @@ static struct in_addr *host_to_ipaddr(const char *name, unsigned int *naddr)
 	if ((err = getaddrinfo(name, NULL, &hints, &res)) != 0) {
 		return NULL;
 	} else {
-		for (p = res; p != NULL; p = p->ai_next)
+		loopback_seen = false;
+		for (p = res; p != NULL; p = p->ai_next) {
+			/*
+			 * This handling sucks, but libc seem to need this
+			 * workaround when 127.0.0.1 and ::1 entries in
+			 * /etc/hosts that are common in many distros, see:
+			 *
+			 * https://sourceware.org/bugzilla/show_bug.cgi?id=4980
+			 * https://bugzilla.redhat.com/show_bug.cgi?id=496300
+			 *
+			 * Note that we cannot use AI_ADDRCONFIG because this
+			 * needs to work with br_netfilter, where we may have no
+			 * configured address.
+			 */
+			if (loopback_seen)
+				continue;
+			if (addrinfo_get_sin_addr(p)->s_addr ==
+							htonl(INADDR_LOOPBACK))
+				loopback_seen = true;
+
 			++*naddr;
+		}
+		loopback_seen = false;
 		addr = xtables_calloc(*naddr, sizeof(struct in_addr));
-		for (i = 0, p = res; p != NULL; p = p->ai_next)
-			memcpy(&addr[i++],
-			       &((const struct sockaddr_in *)p->ai_addr)->sin_addr,
+		for (i = 0, p = res; p != NULL; p = p->ai_next) {
+			if (loopback_seen)
+				continue;
+			if (addrinfo_get_sin_addr(p)->s_addr ==
+							htonl(INADDR_LOOPBACK))
+				loopback_seen = true;
+			memcpy(&addr[i++], addrinfo_get_sin_addr(p),
 			       sizeof(struct in_addr));
+		}
 		freeaddrinfo(res);
 		return addr;
 	}
-- 
2.1.4


             reply	other threads:[~2017-03-08 14:34 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-08 14:33 Pablo Neira Ayuso [this message]
2017-03-08 16:25 ` [PATCH] libxtables: duplicated loopback address via host_to_ipaddr() Jan Engelhardt
2017-03-08 16:25   ` [PATCH 1/3] extensions: libxt_socket: add --restore-skmark option Jan Engelhardt
2017-03-08 16:25   ` [PATCH 2/3] build: resolve build error involving libnftnl Jan Engelhardt
2017-03-08 16:25   ` [PATCH 3/3] extensions: restore matching any SPI id by default Jan Engelhardt
2017-03-08 16:26 ` Filter duplicate IP addresses from libxtables Jan Engelhardt
2017-03-08 16:26   ` [PATCH 1/3] libxtables: remove unnecessary nesting from host_to_ip(6)addr Jan Engelhardt
2017-03-08 16:45     ` Pablo Neira Ayuso
2017-03-08 16:26   ` [PATCH 2/3] libxtables: abolish AI_CANONNAME Jan Engelhardt
2017-03-08 16:46     ` Pablo Neira Ayuso
2017-03-08 16:26   ` [PATCH 3/3] libxtables: avoid returning duplicate address for host resolution Jan Engelhardt
2017-03-08 16:45     ` Pablo Neira Ayuso
2017-03-08 16:56       ` Jan Engelhardt
2017-03-10 18:22         ` Pablo Neira Ayuso
2017-03-08 16:42 ` [PATCH 1/3] libxtables: remove unnecessary nesting from host_to_ip(6)addr Jan Engelhardt
2017-03-08 16:42   ` [PATCH 2/3] libxtables: abolish AI_CANONNAME Jan Engelhardt
2017-03-08 16:42   ` [PATCH 3/3] libxtables: avoid returning duplicate address for host resolution Jan Engelhardt
2017-03-09  7:32 ` [PATCH] libxtables: duplicated loopback address via host_to_ipaddr() Alexander Alemayhu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1488983584-26091-1-git-send-email-pablo@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).