[iptables PATCH] iptables-nft: fix basechain policy configuration

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Arturo Borrero Gonzalez <arturo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: phil@nwl.cc, pablo@netfilter.org
Subject: [iptables PATCH] iptables-nft: fix basechain policy configuration
Date: Fri, 02 Oct 2020 13:44:36 +0200	[thread overview]
Message-ID: <160163907669.18523.7311010971070291883.stgit@endurance> (raw)

From: Pablo Neira Ayuso <pablo@netfilter.org>

Previous to this patch, the basechain policy could not be properly configured if it wasn't
explictly set when loading the ruleset, leading to iptables-nft-restore (and ip6tables-nft-restore)
trying to send an invalid ruleset to the kernel.

CC: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
---
 iptables/nft.c                                     |    6 +++++-
 .../testcases/nft-only/0008-basechain-policy_0     |   21 ++++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100755 iptables/tests/shell/testcases/nft-only/0008-basechain-policy_0

diff --git a/iptables/nft.c b/iptables/nft.c
index 27bb98d1..f29fe5b4 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -678,7 +678,9 @@ nft_chain_builtin_alloc(const struct builtin_table *table,
 	nftnl_chain_set_str(c, NFTNL_CHAIN_NAME, chain->name);
 	nftnl_chain_set_u32(c, NFTNL_CHAIN_HOOKNUM, chain->hook);
 	nftnl_chain_set_u32(c, NFTNL_CHAIN_PRIO, chain->prio);
-	nftnl_chain_set_u32(c, NFTNL_CHAIN_POLICY, policy);
+	if (policy >= 0)
+		nftnl_chain_set_u32(c, NFTNL_CHAIN_POLICY, policy);
+
 	nftnl_chain_set_str(c, NFTNL_CHAIN_TYPE, chain->type);
 
 	return c;
@@ -911,6 +913,8 @@ int nft_chain_set(struct nft_handle *h, const char *table,
 		c = nft_chain_new(h, table, chain, NF_DROP, counters);
 	else if (strcmp(policy, "ACCEPT") == 0)
 		c = nft_chain_new(h, table, chain, NF_ACCEPT, counters);
+	else if (strcmp(policy, "-") == 0)
+		c = nft_chain_new(h, table, chain, -1, counters);
 	else
 		errno = EINVAL;
 
diff --git a/iptables/tests/shell/testcases/nft-only/0008-basechain-policy_0 b/iptables/tests/shell/testcases/nft-only/0008-basechain-policy_0
new file mode 100755
index 00000000..61e408e8
--- /dev/null
+++ b/iptables/tests/shell/testcases/nft-only/0008-basechain-policy_0
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+set -e
+
+# make sure iptables-nft-restore can correctly handle basechain policies when they aren't set
+
+$XT_MULTI iptables-restore <<EOF
+*raw
+:OUTPUT - [0:0]
+:PREROUTING - [0:0]
+:neutron-linuxbri-OUTPUT - [0:0]
+:neutron-linuxbri-PREROUTING - [0:0]
+-I OUTPUT 1 -j neutron-linuxbri-OUTPUT
+-I PREROUTING 1 -j neutron-linuxbri-PREROUTING
+-I neutron-linuxbri-PREROUTING 1 -m physdev --physdev-in brq7425e328-56 -j CT --zone 4097
+-I neutron-linuxbri-PREROUTING 2 -i brq7425e328-56 -j CT --zone 4097
+-I neutron-linuxbri-PREROUTING 3 -m physdev --physdev-in tap7f101a28-1d -j CT --zone 4097
+
+COMMIT
+EOF

next             reply	other threads:[~2020-10-02 11:44 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-02 11:44 Arturo Borrero Gonzalez [this message]
2020-10-02 12:07 ` [iptables PATCH] iptables-nft: fix basechain policy configuration Phil Sutter
2020-10-02 12:15   ` Pablo Neira Ayuso
2020-10-02 12:28     ` Phil Sutter
2020-10-02 12:47       ` Pablo Neira Ayuso
2020-10-02 13:31         ` Phil Sutter
2020-10-02 14:39           ` Pablo Neira Ayuso
2020-10-08 17:31 ` Pablo Neira Ayuso
2020-10-09  8:29   ` Phil Sutter
2020-10-09  8:50     ` Pablo Neira Ayuso
2020-10-09  9:37       ` Phil Sutter
2020-10-09 10:07         ` Reindl Harald
2020-10-09 10:14           ` Phil Sutter
2020-10-09 10:28             ` Reindl Harald
2020-10-09 10:37         ` Jozsef Kadlecsik
2020-10-09 12:04           ` Phil Sutter
2020-10-09 19:05             ` Jozsef Kadlecsik

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:27bb98d dfblob:f29fe5b dfblob:61e408e )
 OR (
bs:"[iptables PATCH] iptables-nft: fix basechain policy configuration" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=160163907669.18523.7311010971070291883.stgit@endurance \
    --to=arturo@netfilter.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=phil@nwl.cc \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).