[PATCH] iptables-nftables nft: Removes if_nametoindex ,NFT_META_OIF for outiface

[PATCH] iptables-nftables nft: Removes if_nametoindex ,NFT_META_OIF for outiface

[Anand Raj Manickam]

This patch fixes the issue where , the Rules are added for non
existent interface and unable to delete.
eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows
you to add the rule , where eth10.10 interface is not created.
But will not allow to delete as the label maps to * by  if_nametoindex().



diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 25cb177..407f650 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -145,13 +145,9 @@ void add_outiface(struct nft_rule *r, char
*iface, int invflags)
        else
                op = NFT_CMP_EQ;

-       if (iface[iface_len - 1] == '+') {
-               add_meta(r, NFT_META_OIFNAME);
-               add_cmp_ptr(r, op, iface, iface_len - 1);
-       } else {
-               add_meta(r, NFT_META_OIF);
-               add_cmp_u32(r, if_nametoindex(iface), op);
-       }
+       /*Removed NFT_META_OIF , will stick to NFT_META_OIFNAME as in
iptables */
+       add_meta(r, NFT_META_OIFNAME);
+       add_cmp_ptr(r, op, iface, iface_len);
 }

 void add_addr(struct nft_rule *r, int offset,
@@ -267,15 +263,15 @@ void parse_meta(struct nft_rule_expr *e, uint8_t
key, char *iniface,
                        *invflags |= IPT_INV_VIA_OUT;

                memcpy(outiface, ifname, len);
-               outiface[len] = '\0';

-               /* If zero, then this is an interface mask */
-               if (if_nametoindex(outiface) == 0) {
-                       outiface[len] = '+';
-                       outiface[len+1] = '\0';
-               }
+               if (outiface[len -1] == '+') {
+                                outiface[len] = '\0';
+                                memset(outiface_mask, 0xff, (len - 1));
+               } else {
+                                outiface[len + 1 ] = '\0';
+                                memset(outiface_mask, 0xff, (len + 1));
+               }

-               memset(outiface_mask, 0xff, len);
                break;
        default:
                DEBUGP("unknown meta key %d\n", key);

Re: [PATCH] iptables-nftables nft: Removes if_nametoindex ,NFT_META_OIF for outiface

[Pablo Neira Ayuso]

On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote:
> This patch fixes the issue where , the Rules are added for non
> existent interface and unable to delete.
> eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows
> you to add the rule , where eth10.10 interface is not created.
> But will not allow to delete as the label maps to * by  if_nametoindex().

This patch doesn't apply:

patch -p1 < /tmp/anand.patch
patching file iptables/nft-shared.c
patch: **** malformed patch at line 6: *iface, int invflags)

Please, no need to split things in that many chunks per file. One
single patch file to address one thing is just fine, the repository
has to remain in consistent state between patches.

Thanks.

Re: [PATCH] iptables-nftables nft: Removes if_nametoindex ,NFT_META_OIF for outiface

[Anand Raj Manickam]

[-- Attachment #1: Type: text/plain, Size: 890 bytes --]

On Fri, Oct 11, 2013 at 1:45 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote:
>> This patch fixes the issue where , the Rules are added for non
>> existent interface and unable to delete.
>> eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows
>> you to add the rule , where eth10.10 interface is not created.
>> But will not allow to delete as the label maps to * by  if_nametoindex().
>
> This patch doesn't apply:
>
> patch -p1 < /tmp/anand.patch
> patching file iptables/nft-shared.c
> patch: **** malformed patch at line 6: *iface, int invflags)
>
> Please, no need to split things in that many chunks per file. One
> single patch file to address one thing is just fine, the repository
> has to remain in consistent state between patches.
>
> Thanks.

Merged all into a single patch.
Thanks,
Anand

[-- Attachment #2: tmp.patch --]
[-- Type: application/octet-stream, Size: 3247 bytes --]

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 25cb177..a115d7d 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -124,13 +124,8 @@ void add_iniface(struct nft_rule *r, char *iface, int invflags)
 	else
 		op = NFT_CMP_EQ;
 
-	if (iface[iface_len - 1] == '+') {
-		add_meta(r, NFT_META_IIFNAME);
-		add_cmp_ptr(r, op, iface, iface_len - 1);
-	} else {
-		add_meta(r, NFT_META_IIF);
-		add_cmp_u32(r, if_nametoindex(iface), op);
-	}
+	add_meta(r, NFT_META_IIFNAME);
+	add_cmp_ptr(r, op, iface, iface_len);
 }
 
 void add_outiface(struct nft_rule *r, char *iface, int invflags)
@@ -145,13 +140,9 @@ void add_outiface(struct nft_rule *r, char *iface, int invflags)
 	else
 		op = NFT_CMP_EQ;
 
-	if (iface[iface_len - 1] == '+') {
-		add_meta(r, NFT_META_OIFNAME);
-		add_cmp_ptr(r, op, iface, iface_len - 1);
-	} else {
-		add_meta(r, NFT_META_OIF);
-		add_cmp_u32(r, if_nametoindex(iface), op);
-	}
+	/*Removed NFT_META_OIF , will stick to NFT_META_OIFNAME as in iptables */
+	add_meta(r, NFT_META_OIFNAME);
+	add_cmp_ptr(r, op, iface, iface_len);
 }
 
 void add_addr(struct nft_rule *r, int offset,
@@ -227,39 +218,20 @@ void parse_meta(struct nft_rule_expr *e, uint8_t key, char *iniface,
 	uint32_t len;
 
 	switch(key) {
-	case NFT_META_IIF:
-		value = nft_rule_expr_get_u32(e, NFT_EXPR_CMP_DATA);
-		if (nft_rule_expr_get_u8(e, NFT_EXPR_CMP_OP) == NFT_CMP_NEQ)
-			*invflags |= IPT_INV_VIA_IN;
-
-		if_indextoname(value, iniface);
-
-		memset(iniface_mask, 0xff, strlen(iniface)+1);
-		break;
-	case NFT_META_OIF:
-		value = nft_rule_expr_get_u32(e, NFT_EXPR_CMP_DATA);
-		if (nft_rule_expr_get_u8(e, NFT_EXPR_CMP_OP) == NFT_CMP_NEQ)
-			*invflags |= IPT_INV_VIA_OUT;
-
-		if_indextoname(value, outiface);
-
-		memset(outiface_mask, 0xff, strlen(outiface)+1);
-		break;
 	case NFT_META_IIFNAME:
 		ifname = nft_rule_expr_get(e, NFT_EXPR_CMP_DATA, &len);
 		if (nft_rule_expr_get_u8(e, NFT_EXPR_CMP_OP) == NFT_CMP_NEQ)
 			*invflags |= IPT_INV_VIA_IN;
 
 		memcpy(iniface, ifname, len);
-		iniface[len] = '\0';
 
-		/* If zero, then this is an interface mask */
-		if (if_nametoindex(iniface) == 0) {
-			iniface[len] = '+';
-			iniface[len+1] = '\0';
+		if (iniface[len-1] == '+') {
+			iniface[len] = '\0';
+			memset(iniface_mask, 0xff, (len - 1));
+		} else {
+			iniface[len + 1] = '\0';
+			memset(iniface_mask, 0xff, (len + 1));
 		}
-
-		memset(iniface_mask, 0xff, len);
 		break;
 	case NFT_META_OIFNAME:
 		ifname = nft_rule_expr_get(e, NFT_EXPR_CMP_DATA, &len);
@@ -267,15 +239,15 @@ void parse_meta(struct nft_rule_expr *e, uint8_t key, char *iniface,
 			*invflags |= IPT_INV_VIA_OUT;
 
 		memcpy(outiface, ifname, len);
-		outiface[len] = '\0';
 
-		/* If zero, then this is an interface mask */
-		if (if_nametoindex(outiface) == 0) {
-			outiface[len] = '+';
-			outiface[len+1] = '\0';
-		}
+		if (outiface[len -1] == '+') {
+                        outiface[len] = '\0';
+                        memset(outiface_mask, 0xff, (len - 1));
+                } else {
+                	outiface[len + 1 ] = '\0';
+                        memset(outiface_mask, 0xff, (len + 1));
+                }
 
-		memset(outiface_mask, 0xff, len);
 		break;
 	default:
 		DEBUGP("unknown meta key %d\n", key);

Re: [PATCH] iptables-nftables nft: Removes if_nametoindex ,NFT_META_OIF for outiface

[Pablo Neira Ayuso]

On Fri, Oct 11, 2013 at 03:05:05PM +0530, Anand Raj Manickam wrote:
> On Fri, Oct 11, 2013 at 1:45 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote:
> >> This patch fixes the issue where , the Rules are added for non
> >> existent interface and unable to delete.
> >> eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows
> >> you to add the rule , where eth10.10 interface is not created.
> >> But will not allow to delete as the label maps to * by  if_nametoindex().
> >
> > This patch doesn't apply:
> >
> > patch -p1 < /tmp/anand.patch
> > patching file iptables/nft-shared.c
> > patch: **** malformed patch at line 6: *iface, int invflags)
> >
> > Please, no need to split things in that many chunks per file. One
> > single patch file to address one thing is just fine, the repository
> > has to remain in consistent state between patches.
> >
> > Thanks.
> 
> Merged all into a single patch.

I still think this still breaks -i eth+ matching, as there was special
handling for that case.

Re: [PATCH] iptables-nftables nft: Removes if_nametoindex ,NFT_META_OIF for outiface

[Anand Raj Manickam]

On Fri, Oct 11, 2013 at 3:20 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Oct 11, 2013 at 03:05:05PM +0530, Anand Raj Manickam wrote:
>> On Fri, Oct 11, 2013 at 1:45 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>> > On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote:
>> >> This patch fixes the issue where , the Rules are added for non
>> >> existent interface and unable to delete.
>> >> eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows
>> >> you to add the rule , where eth10.10 interface is not created.
>> >> But will not allow to delete as the label maps to * by  if_nametoindex().
>> >
>> > This patch doesn't apply:
>> >
>> > patch -p1 < /tmp/anand.patch
>> > patching file iptables/nft-shared.c
>> > patch: **** malformed patch at line 6: *iface, int invflags)
>> >
>> > Please, no need to split things in that many chunks per file. One
>> > single patch file to address one thing is just fine, the repository
>> > has to remain in consistent state between patches.
>> >
>> > Thanks.
>>
>> Merged all into a single patch.
>
> I still think this still breaks -i eth+ matching, as there was special
> handling for that case.

Can you share me the exact case ? It does NOT work on rules added before patch.

The patch looks good on my setup..
xtables -I INPUT -i eth+ -j ACCEPT

xtables -L INPUT -nv
Chain INPUT (policy ACCEPT 142K packets, 19M bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  eth+   *       0.0.0.0/0
0.0.0.0/0

# xtables -D INPUT -i eth+ -j ACCEPT
comparing with... -A INPUT -c        0        0 -i eth+ -j ACCEPT
DEBUG: rule: ip filter INPUT 29 0
  [ meta load iifname => reg 1 ]
  [ cmp eq reg 1 0x2b687465 ]
  [ counter pkts 0 bytes 0 ]
  [ immediate reg 0 1 ]

Re: [PATCH] iptables-nftables nft: Removes if_nametoindex ,NFT_META_OIF for outiface

[Pablo Neira Ayuso]

On Fri, Oct 11, 2013 at 03:37:34PM +0530, Anand Raj Manickam wrote:
> On Fri, Oct 11, 2013 at 3:20 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Fri, Oct 11, 2013 at 03:05:05PM +0530, Anand Raj Manickam wrote:
> >> On Fri, Oct 11, 2013 at 1:45 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >> > On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote:
> >> >> This patch fixes the issue where , the Rules are added for non
> >> >> existent interface and unable to delete.
> >> >> eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows
> >> >> you to add the rule , where eth10.10 interface is not created.
> >> >> But will not allow to delete as the label maps to * by  if_nametoindex().
> >> >
> >> > This patch doesn't apply:
> >> >
> >> > patch -p1 < /tmp/anand.patch
> >> > patching file iptables/nft-shared.c
> >> > patch: **** malformed patch at line 6: *iface, int invflags)
> >> >
> >> > Please, no need to split things in that many chunks per file. One
> >> > single patch file to address one thing is just fine, the repository
> >> > has to remain in consistent state between patches.
> >> >
> >> > Thanks.
> >>
> >> Merged all into a single patch.
> >
> > I still think this still breaks -i eth+ matching, as there was special
> > handling for that case.
> 
> Can you share me the exact case ? It does NOT work on rules added before patch.
> 
> The patch looks good on my setup..
> xtables -I INPUT -i eth+ -j ACCEPT
> 
> xtables -L INPUT -nv
> Chain INPUT (policy ACCEPT 142K packets, 19M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 ACCEPT     all  --  eth+   *       0.0.0.0/0
> 0.0.0.0/0
> 
> # xtables -D INPUT -i eth+ -j ACCEPT
> comparing with... -A INPUT -c        0        0 -i eth+ -j ACCEPT
> DEBUG: rule: ip filter INPUT 29 0
>   [ meta load iifname => reg 1 ]
>   [ cmp eq reg 1 0x2b687465 ]
>   [ counter pkts 0 bytes 0 ]
>   [ immediate reg 0 1 ]

I guess that seems to work by adding/removing rules, but packet
matching won't work since from the kernel side it will strictly
compare the string, eg. eth0 == eth+.

Note that eth+ means we want to match all interfaces starting by 'eth'