* [PATCH] iptables-nftables nft: Removes if_nametoindex ,NFT_META_OIF for outiface @ 2013-10-11 6:04 Anand Raj Manickam 2013-10-11 8:15 ` Pablo Neira Ayuso 0 siblings, 1 reply; 6+ messages in thread From: Anand Raj Manickam @ 2013-10-11 6:04 UTC (permalink / raw) To: Pablo Neira Ayuso, netfilter-devel This patch fixes the issue where , the Rules are added for non existent interface and unable to delete. eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows you to add the rule , where eth10.10 interface is not created. But will not allow to delete as the label maps to * by if_nametoindex(). diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 25cb177..407f650 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -145,13 +145,9 @@ void add_outiface(struct nft_rule *r, char *iface, int invflags) else op = NFT_CMP_EQ; - if (iface[iface_len - 1] == '+') { - add_meta(r, NFT_META_OIFNAME); - add_cmp_ptr(r, op, iface, iface_len - 1); - } else { - add_meta(r, NFT_META_OIF); - add_cmp_u32(r, if_nametoindex(iface), op); - } + /*Removed NFT_META_OIF , will stick to NFT_META_OIFNAME as in iptables */ + add_meta(r, NFT_META_OIFNAME); + add_cmp_ptr(r, op, iface, iface_len); } void add_addr(struct nft_rule *r, int offset, @@ -267,15 +263,15 @@ void parse_meta(struct nft_rule_expr *e, uint8_t key, char *iniface, *invflags |= IPT_INV_VIA_OUT; memcpy(outiface, ifname, len); - outiface[len] = '\0'; - /* If zero, then this is an interface mask */ - if (if_nametoindex(outiface) == 0) { - outiface[len] = '+'; - outiface[len+1] = '\0'; - } + if (outiface[len -1] == '+') { + outiface[len] = '\0'; + memset(outiface_mask, 0xff, (len - 1)); + } else { + outiface[len + 1 ] = '\0'; + memset(outiface_mask, 0xff, (len + 1)); + } - memset(outiface_mask, 0xff, len); break; default: DEBUGP("unknown meta key %d\n", key); ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] iptables-nftables nft: Removes if_nametoindex ,NFT_META_OIF for outiface 2013-10-11 6:04 [PATCH] iptables-nftables nft: Removes if_nametoindex ,NFT_META_OIF for outiface Anand Raj Manickam @ 2013-10-11 8:15 ` Pablo Neira Ayuso 2013-10-11 9:35 ` Anand Raj Manickam 0 siblings, 1 reply; 6+ messages in thread From: Pablo Neira Ayuso @ 2013-10-11 8:15 UTC (permalink / raw) To: Anand Raj Manickam; +Cc: netfilter-devel On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote: > This patch fixes the issue where , the Rules are added for non > existent interface and unable to delete. > eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows > you to add the rule , where eth10.10 interface is not created. > But will not allow to delete as the label maps to * by if_nametoindex(). This patch doesn't apply: patch -p1 < /tmp/anand.patch patching file iptables/nft-shared.c patch: **** malformed patch at line 6: *iface, int invflags) Please, no need to split things in that many chunks per file. One single patch file to address one thing is just fine, the repository has to remain in consistent state between patches. Thanks. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] iptables-nftables nft: Removes if_nametoindex ,NFT_META_OIF for outiface 2013-10-11 8:15 ` Pablo Neira Ayuso @ 2013-10-11 9:35 ` Anand Raj Manickam 2013-10-11 9:50 ` Pablo Neira Ayuso 0 siblings, 1 reply; 6+ messages in thread From: Anand Raj Manickam @ 2013-10-11 9:35 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel [-- Attachment #1: Type: text/plain, Size: 890 bytes --] On Fri, Oct 11, 2013 at 1:45 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote: >> This patch fixes the issue where , the Rules are added for non >> existent interface and unable to delete. >> eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows >> you to add the rule , where eth10.10 interface is not created. >> But will not allow to delete as the label maps to * by if_nametoindex(). > > This patch doesn't apply: > > patch -p1 < /tmp/anand.patch > patching file iptables/nft-shared.c > patch: **** malformed patch at line 6: *iface, int invflags) > > Please, no need to split things in that many chunks per file. One > single patch file to address one thing is just fine, the repository > has to remain in consistent state between patches. > > Thanks. Merged all into a single patch. Thanks, Anand [-- Attachment #2: tmp.patch --] [-- Type: application/octet-stream, Size: 3247 bytes --] diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 25cb177..a115d7d 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -124,13 +124,8 @@ void add_iniface(struct nft_rule *r, char *iface, int invflags) else op = NFT_CMP_EQ; - if (iface[iface_len - 1] == '+') { - add_meta(r, NFT_META_IIFNAME); - add_cmp_ptr(r, op, iface, iface_len - 1); - } else { - add_meta(r, NFT_META_IIF); - add_cmp_u32(r, if_nametoindex(iface), op); - } + add_meta(r, NFT_META_IIFNAME); + add_cmp_ptr(r, op, iface, iface_len); } void add_outiface(struct nft_rule *r, char *iface, int invflags) @@ -145,13 +140,9 @@ void add_outiface(struct nft_rule *r, char *iface, int invflags) else op = NFT_CMP_EQ; - if (iface[iface_len - 1] == '+') { - add_meta(r, NFT_META_OIFNAME); - add_cmp_ptr(r, op, iface, iface_len - 1); - } else { - add_meta(r, NFT_META_OIF); - add_cmp_u32(r, if_nametoindex(iface), op); - } + /*Removed NFT_META_OIF , will stick to NFT_META_OIFNAME as in iptables */ + add_meta(r, NFT_META_OIFNAME); + add_cmp_ptr(r, op, iface, iface_len); } void add_addr(struct nft_rule *r, int offset, @@ -227,39 +218,20 @@ void parse_meta(struct nft_rule_expr *e, uint8_t key, char *iniface, uint32_t len; switch(key) { - case NFT_META_IIF: - value = nft_rule_expr_get_u32(e, NFT_EXPR_CMP_DATA); - if (nft_rule_expr_get_u8(e, NFT_EXPR_CMP_OP) == NFT_CMP_NEQ) - *invflags |= IPT_INV_VIA_IN; - - if_indextoname(value, iniface); - - memset(iniface_mask, 0xff, strlen(iniface)+1); - break; - case NFT_META_OIF: - value = nft_rule_expr_get_u32(e, NFT_EXPR_CMP_DATA); - if (nft_rule_expr_get_u8(e, NFT_EXPR_CMP_OP) == NFT_CMP_NEQ) - *invflags |= IPT_INV_VIA_OUT; - - if_indextoname(value, outiface); - - memset(outiface_mask, 0xff, strlen(outiface)+1); - break; case NFT_META_IIFNAME: ifname = nft_rule_expr_get(e, NFT_EXPR_CMP_DATA, &len); if (nft_rule_expr_get_u8(e, NFT_EXPR_CMP_OP) == NFT_CMP_NEQ) *invflags |= IPT_INV_VIA_IN; memcpy(iniface, ifname, len); - iniface[len] = '\0'; - /* If zero, then this is an interface mask */ - if (if_nametoindex(iniface) == 0) { - iniface[len] = '+'; - iniface[len+1] = '\0'; + if (iniface[len-1] == '+') { + iniface[len] = '\0'; + memset(iniface_mask, 0xff, (len - 1)); + } else { + iniface[len + 1] = '\0'; + memset(iniface_mask, 0xff, (len + 1)); } - - memset(iniface_mask, 0xff, len); break; case NFT_META_OIFNAME: ifname = nft_rule_expr_get(e, NFT_EXPR_CMP_DATA, &len); @@ -267,15 +239,15 @@ void parse_meta(struct nft_rule_expr *e, uint8_t key, char *iniface, *invflags |= IPT_INV_VIA_OUT; memcpy(outiface, ifname, len); - outiface[len] = '\0'; - /* If zero, then this is an interface mask */ - if (if_nametoindex(outiface) == 0) { - outiface[len] = '+'; - outiface[len+1] = '\0'; - } + if (outiface[len -1] == '+') { + outiface[len] = '\0'; + memset(outiface_mask, 0xff, (len - 1)); + } else { + outiface[len + 1 ] = '\0'; + memset(outiface_mask, 0xff, (len + 1)); + } - memset(outiface_mask, 0xff, len); break; default: DEBUGP("unknown meta key %d\n", key); ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] iptables-nftables nft: Removes if_nametoindex ,NFT_META_OIF for outiface 2013-10-11 9:35 ` Anand Raj Manickam @ 2013-10-11 9:50 ` Pablo Neira Ayuso 2013-10-11 10:07 ` Anand Raj Manickam 0 siblings, 1 reply; 6+ messages in thread From: Pablo Neira Ayuso @ 2013-10-11 9:50 UTC (permalink / raw) To: Anand Raj Manickam; +Cc: netfilter-devel On Fri, Oct 11, 2013 at 03:05:05PM +0530, Anand Raj Manickam wrote: > On Fri, Oct 11, 2013 at 1:45 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote: > >> This patch fixes the issue where , the Rules are added for non > >> existent interface and unable to delete. > >> eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows > >> you to add the rule , where eth10.10 interface is not created. > >> But will not allow to delete as the label maps to * by if_nametoindex(). > > > > This patch doesn't apply: > > > > patch -p1 < /tmp/anand.patch > > patching file iptables/nft-shared.c > > patch: **** malformed patch at line 6: *iface, int invflags) > > > > Please, no need to split things in that many chunks per file. One > > single patch file to address one thing is just fine, the repository > > has to remain in consistent state between patches. > > > > Thanks. > > Merged all into a single patch. I still think this still breaks -i eth+ matching, as there was special handling for that case. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] iptables-nftables nft: Removes if_nametoindex ,NFT_META_OIF for outiface 2013-10-11 9:50 ` Pablo Neira Ayuso @ 2013-10-11 10:07 ` Anand Raj Manickam 2013-10-11 11:03 ` Pablo Neira Ayuso 0 siblings, 1 reply; 6+ messages in thread From: Anand Raj Manickam @ 2013-10-11 10:07 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel On Fri, Oct 11, 2013 at 3:20 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Fri, Oct 11, 2013 at 03:05:05PM +0530, Anand Raj Manickam wrote: >> On Fri, Oct 11, 2013 at 1:45 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: >> > On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote: >> >> This patch fixes the issue where , the Rules are added for non >> >> existent interface and unable to delete. >> >> eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows >> >> you to add the rule , where eth10.10 interface is not created. >> >> But will not allow to delete as the label maps to * by if_nametoindex(). >> > >> > This patch doesn't apply: >> > >> > patch -p1 < /tmp/anand.patch >> > patching file iptables/nft-shared.c >> > patch: **** malformed patch at line 6: *iface, int invflags) >> > >> > Please, no need to split things in that many chunks per file. One >> > single patch file to address one thing is just fine, the repository >> > has to remain in consistent state between patches. >> > >> > Thanks. >> >> Merged all into a single patch. > > I still think this still breaks -i eth+ matching, as there was special > handling for that case. Can you share me the exact case ? It does NOT work on rules added before patch. The patch looks good on my setup.. xtables -I INPUT -i eth+ -j ACCEPT xtables -L INPUT -nv Chain INPUT (policy ACCEPT 142K packets, 19M bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth+ * 0.0.0.0/0 0.0.0.0/0 # xtables -D INPUT -i eth+ -j ACCEPT comparing with... -A INPUT -c 0 0 -i eth+ -j ACCEPT DEBUG: rule: ip filter INPUT 29 0 [ meta load iifname => reg 1 ] [ cmp eq reg 1 0x2b687465 ] [ counter pkts 0 bytes 0 ] [ immediate reg 0 1 ] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] iptables-nftables nft: Removes if_nametoindex ,NFT_META_OIF for outiface 2013-10-11 10:07 ` Anand Raj Manickam @ 2013-10-11 11:03 ` Pablo Neira Ayuso 0 siblings, 0 replies; 6+ messages in thread From: Pablo Neira Ayuso @ 2013-10-11 11:03 UTC (permalink / raw) To: Anand Raj Manickam; +Cc: netfilter-devel On Fri, Oct 11, 2013 at 03:37:34PM +0530, Anand Raj Manickam wrote: > On Fri, Oct 11, 2013 at 3:20 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > On Fri, Oct 11, 2013 at 03:05:05PM +0530, Anand Raj Manickam wrote: > >> On Fri, Oct 11, 2013 at 1:45 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > >> > On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote: > >> >> This patch fixes the issue where , the Rules are added for non > >> >> existent interface and unable to delete. > >> >> eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows > >> >> you to add the rule , where eth10.10 interface is not created. > >> >> But will not allow to delete as the label maps to * by if_nametoindex(). > >> > > >> > This patch doesn't apply: > >> > > >> > patch -p1 < /tmp/anand.patch > >> > patching file iptables/nft-shared.c > >> > patch: **** malformed patch at line 6: *iface, int invflags) > >> > > >> > Please, no need to split things in that many chunks per file. One > >> > single patch file to address one thing is just fine, the repository > >> > has to remain in consistent state between patches. > >> > > >> > Thanks. > >> > >> Merged all into a single patch. > > > > I still think this still breaks -i eth+ matching, as there was special > > handling for that case. > > Can you share me the exact case ? It does NOT work on rules added before patch. > > The patch looks good on my setup.. > xtables -I INPUT -i eth+ -j ACCEPT > > xtables -L INPUT -nv > Chain INPUT (policy ACCEPT 142K packets, 19M bytes) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- eth+ * 0.0.0.0/0 > 0.0.0.0/0 > > # xtables -D INPUT -i eth+ -j ACCEPT > comparing with... -A INPUT -c 0 0 -i eth+ -j ACCEPT > DEBUG: rule: ip filter INPUT 29 0 > [ meta load iifname => reg 1 ] > [ cmp eq reg 1 0x2b687465 ] > [ counter pkts 0 bytes 0 ] > [ immediate reg 0 1 ] I guess that seems to work by adding/removing rules, but packet matching won't work since from the kernel side it will strictly compare the string, eg. eth0 == eth+. Note that eth+ means we want to match all interfaces starting by 'eth' ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2013-10-11 11:03 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-10-11 6:04 [PATCH] iptables-nftables nft: Removes if_nametoindex ,NFT_META_OIF for outiface Anand Raj Manickam 2013-10-11 8:15 ` Pablo Neira Ayuso 2013-10-11 9:35 ` Anand Raj Manickam 2013-10-11 9:50 ` Pablo Neira Ayuso 2013-10-11 10:07 ` Anand Raj Manickam 2013-10-11 11:03 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).