From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Cc: Netfilter Development Mailing list
<netfilter-devel@vger.kernel.org>,
Giuseppe Longo <giuseppelng@gmail.com>
Subject: Re: [ebtables-compat-experimental5 PATCH v2] iptables: xtables-eb: user-defined chains default policy is always RETURN
Date: Mon, 24 Nov 2014 13:51:57 +0100 [thread overview]
Message-ID: <20141124125157.GA11139@salvia> (raw)
In-Reply-To: <CAOkSjBj2ejY=rVcGhaBJ7uPP=a_Fzj5qrbnMLtB22P61V_7i9Q@mail.gmail.com>
On Mon, Nov 24, 2014 at 01:12:33PM +0100, Arturo Borrero Gonzalez wrote:
> On 24 November 2014 at 12:12, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >> --- a/iptables/xtables-eb.c
> >> +++ b/iptables/xtables-eb.c
> >> @@ -616,6 +616,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table)
> >> case 'E': /* Rename chain */
> >> case 'X': /* Delete chain */
> >> /* We allow -N chainname -P policy */
> >> + /* XXX: Not in ebtables-compat */
> >> if (command == 'N' && c == 'P') {
> >> command = c;
> >> optind--; /* No table specified */
> >> @@ -1146,9 +1147,15 @@ check_extension: */
> >> cs.fw.ethproto = htons(cs.fw.ethproto);
> >>
> >> if (command == 'P') {
> >> - if (selected_chain < NF_BR_NUMHOOKS && strcmp(policy, "RETURN")==0)
> >> + if (selected_chain < 0) {
> >> + xtables_error(PARAMETER_PROBLEM,
> >> + "Default policy in user-defined"
> >> + " chains is mandatory RETURN");
> >
> > The intended error should something like:
> >
> > ... , "Policy %s only allowed from base chains", policy);
> >
> > right? I can mangle the patch here. Thanks.
>
> Ok, thanks.
Applied, thanks.
I have used "Policy XYZ not allowed for user defined chains" so we
basically disable policies from user-defined chains in
ebtables-compat.
prev parent reply other threads:[~2014-11-24 12:49 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-24 9:52 [ebtables-compat-experimental5 PATCH v2] iptables: xtables-eb: user-defined chains default policy is always RETURN Arturo Borrero Gonzalez
2014-11-24 11:12 ` Pablo Neira Ayuso
2014-11-24 12:12 ` Arturo Borrero Gonzalez
2014-11-24 12:51 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141124125157.GA11139@salvia \
--to=pablo@netfilter.org \
--cc=arturo.borrero.glez@gmail.com \
--cc=giuseppelng@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).