[iptables PATCH] libxtables: extensions find based also on family

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
To: netfilter-devel@vger.kernel.org
Cc: kaber@trash.net, pablo@netfilter.org
Subject: [iptables PATCH] libxtables: extensions find based also on family
Date: Wed, 08 Apr 2015 19:42:19 +0200	[thread overview]
Message-ID: <20150408174219.25244.24487.stgit@nfdev2.cica.es> (raw)

When using libxtables with an external program (nft) which switches family
contexts (using xtables_set_nfproto()), the extensions finding proccess
needs to be smarter and also know about the family.

We want to avoid this situation:

 1) user first sets context to IPv6
 2) xtables_find_target() finds & load ip6t_REJECT and uses it
 3) context switch to IPv4
 4) user then tries to use ipt_REJECT
 5) xtables_find_target() will find ip6t_REJECT instead (same target name)
 6) using ip6t_REJECT as ipt_REJECT can cause a lot of troubles

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
 libxtables/xtables.c |   22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 9df12ce..c56d7dd 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -603,6 +603,17 @@ static void *load_extension(const char *search_path, const char *af_prefix,
 }
 #endif
 
+static bool extension_cmp(const char *name1, const char *name2,
+			  uint32_t family)
+{
+	if ((strcmp(name1, name2) == 0) &&
+	    ((family == afinfo->family) ||
+	     (family == NFPROTO_UNSPEC)))
+		return true;
+
+	return false;
+}
+
 struct xtables_match *
 xtables_find_match(const char *name, enum xtables_tryload tryload,
 		   struct xtables_rule_match **matches)
@@ -625,7 +636,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
 
 	/* Trigger delayed initialization */
 	for (dptr = &xtables_pending_matches; *dptr; ) {
-		if (strcmp(name, (*dptr)->name) == 0) {
+		if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
 			ptr = *dptr;
 			*dptr = (*dptr)->next;
 			ptr->next = NULL;
@@ -636,7 +647,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
 	}
 
 	for (ptr = xtables_matches; ptr; ptr = ptr->next) {
-		if (strcmp(name, ptr->name) == 0) {
+		if (extension_cmp(name, ptr->name, ptr->family)) {
 			struct xtables_match *clone;
 
 			/* First match of this type: */
@@ -686,7 +697,8 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
 		newentry = xtables_malloc(sizeof(struct xtables_rule_match));
 
 		for (i = matches; *i; i = &(*i)->next) {
-			if (strcmp(name, (*i)->match->name) == 0)
+			if (extension_cmp(name, (*i)->match->name,
+					  (*i)->match->family))
 				(*i)->completed = true;
 		}
 		newentry->match = ptr;
@@ -714,7 +726,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
 
 	/* Trigger delayed initialization */
 	for (dptr = &xtables_pending_targets; *dptr; ) {
-		if (strcmp(name, (*dptr)->name) == 0) {
+		if (extension_cmp(name, (*dptr)->name, (*dptr)->family)) {
 			ptr = *dptr;
 			*dptr = (*dptr)->next;
 			ptr->next = NULL;
@@ -725,7 +737,7 @@ xtables_find_target(const char *name, enum xtables_tryload tryload)
 	}
 
 	for (ptr = xtables_targets; ptr; ptr = ptr->next) {
-		if (strcmp(name, ptr->name) == 0)
+		if (extension_cmp(name, ptr->name, ptr->family))
 			break;
 	}

next             reply	other threads:[~2015-04-08 17:42 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-04-08 17:42 Arturo Borrero Gonzalez [this message]
2015-04-09 17:05 ` [iptables PATCH] libxtables: extensions find based also on family Pablo Neira Ayuso

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:9df12ce dfblob:c56d7dd )
 OR (
bs:"[iptables PATCH] libxtables: extensions find based also on family" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150408174219.25244.24487.stgit@nfdev2.cica.es \
    --to=arturo.borrero.glez@gmail.com \
    --cc=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).