[iptables PATCH 0/7] Small ebtables-translate review + extras

[iptables PATCH 0/7] Small ebtables-translate review + extras

[Phil Sutter]

The initial goal was to fix the apparent problem of ebtables-translate
printing 'counter' statement in wrong position, namely after the
verdict. Turns out this happened when targets were used "implicitly",
i.e. without requesting them via '-j'. Since ebtables-nft loaded all
extensions (including targets) upfront, a syntax like:

| # ebtables-nft -A FORWARD --mark-set 1

was accepted and valid. The 'mark' target in this case was added to
iptables_command_state's 'match_list' as if it was a watcher.

Legacy ebtables does not allow this syntax, also it becomes hard for
users to realize why two targets can't be used in the same rule. So
reject this (in patch 2) and implicitly fix the case of 'counter'
statement in wrong position.

Fixing the above caused some fallout: Patch 1 fixes error reporting of
unknown arguments (or missing mandatory parameters) in all tools, patch
7 extends xlate-test.py to conveniently run for all libebt_*.txlate
files (for instance).

The remaining patches 3 to 6 contain cleanups of xtables-eb-translate.c
in comparison to xtables-eb.c, also kind of preparing for a merge of the
two largely identical parsers (at least).

Phil Sutter (7):
  Proper fix for "unknown argument" error message
  ebtables: Refuse unselected targets' options
  ebtables-translate: Drop exec_style
  ebtables-translate: Use OPT_* from xshared.h
  ebtables-translate: Ignore '-j CONTINUE'
  ebtables-translate: Print flush command after parsing is finished
  tests: xlate: Support testing multiple individual files

 extensions/libebt_dnat.txlate                 | 12 ++--
 extensions/libebt_log.c                       |  1 +
 extensions/libebt_mark.txlate                 | 16 ++---
 extensions/libebt_nflog.c                     |  1 +
 extensions/libebt_snat.txlate                 |  8 +--
 include/xtables.h                             |  1 +
 .../ebtables/0002-ebtables-save-restore_0     |  4 +-
 .../testcases/iptables/0009-unknown-arg_0     | 31 ++++++++++
 iptables/xshared.c                            |  9 ++-
 iptables/xtables-eb-translate.c               | 61 +++++++------------
 iptables/xtables-eb.c                         | 46 +++++++-------
 xlate-test.py                                 | 21 ++++---
 12 files changed, 115 insertions(+), 96 deletions(-)
 create mode 100755 iptables/tests/shell/testcases/iptables/0009-unknown-arg_0

-- 
2.38.0

[iptables PATCH 1/7] Proper fix for "unknown argument" error message

[Phil Sutter]

While commit 1b8210f848631 kind of fixed the corner-case of invalid
short-options packed with others, it broke error reporting for
long-options. Revert it and deploy a proper solution:

When passing an invalid short-option, e.g. 'iptables -vaL', getopt_long
sets the variable 'optopt' to the invalid character's value. Use it for
reporting instead of optind if set.

To distinguish between invalid options and missing option arguments,
ebtables-translate optstring needs adjustment.

Fixes: 1b8210f848631 ("ebtables: Fix error message for invalid parameters")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 .../testcases/iptables/0009-unknown-arg_0     | 31 +++++++++++++++++++
 iptables/xshared.c                            |  9 ++++--
 iptables/xtables-eb-translate.c               |  8 ++---
 iptables/xtables-eb.c                         | 17 ++++++----
 4 files changed, 50 insertions(+), 15 deletions(-)
 create mode 100755 iptables/tests/shell/testcases/iptables/0009-unknown-arg_0

diff --git a/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0 b/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0
new file mode 100755
index 0000000000000..ac6e743966196
--- /dev/null
+++ b/iptables/tests/shell/testcases/iptables/0009-unknown-arg_0
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+rc=0
+
+check() {
+	local cmd="$1"
+	local msg="$2"
+
+	$XT_MULTI $cmd 2>&1 | grep -q "$msg" || {
+		echo "cmd: $XT_MULTI $1"
+		echo "exp: $msg"
+		echo "res: $($XT_MULTI $cmd 2>&1)"
+		rc=1
+	}
+}
+
+cmds="iptables ip6tables"
+[[ $XT_MULTI == *xtables-nft-multi ]] && {
+	cmds+=" ebtables"
+	cmds+=" iptables-translate"
+	cmds+=" ip6tables-translate"
+	cmds+=" ebtables-translate"
+}
+
+for cmd in $cmds; do
+	check "${cmd} --foo" 'unknown option "--foo"'
+	check "${cmd} -A" 'option "-A" requires an argument'
+	check "${cmd} -aL" 'unknown option "-a"'
+done
+
+exit $rc
diff --git a/iptables/xshared.c b/iptables/xshared.c
index f93529b11a319..ac51fac5ce9ed 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -192,9 +192,12 @@ static int command_default(struct iptables_command_state *cs,
 	if (cs->c == ':')
 		xtables_error(PARAMETER_PROBLEM, "option \"%s\" "
 		              "requires an argument", cs->argv[optind-1]);
-	if (cs->c == '?')
-		xtables_error(PARAMETER_PROBLEM, "unknown option "
-			      "\"%s\"", cs->argv[optind-1]);
+	if (cs->c == '?') {
+		char optoptstr[3] = {'-', optopt, '\0'};
+
+		xtables_error(PARAMETER_PROBLEM, "unknown option \"%s\"",
+			      optopt ? optoptstr : cs->argv[optind - 1]);
+	}
 	xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg);
 }
 
diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c
index 13b6b864a5f24..0c35272051752 100644
--- a/iptables/xtables-eb-translate.c
+++ b/iptables/xtables-eb-translate.c
@@ -201,7 +201,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
 	printf("nft ");
 	/* Getopt saves the day */
 	while ((c = getopt_long(argc, argv,
-	   "-A:D:I:N:E:X::L::Z::F::P:Vhi:o:j:c:p:s:d:t:M:", opts, NULL)) != -1) {
+	   "-:A:D:I:N:E:X::L::Z::F::P:Vhi:o:j:c:p:s:d:t:M:", opts, NULL)) != -1) {
 		cs.c = c;
 		switch (c) {
 		case 'A': /* Add a rule */
@@ -491,11 +491,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
 			continue;
 		default:
 			ebt_check_inverse2(optarg, argc, argv);
-
-			if (ebt_command_default(&cs))
-				xtables_error(PARAMETER_PROBLEM,
-					      "Unknown argument: '%s'",
-					      argv[optind - 1]);
+			ebt_command_default(&cs);
 
 			if (command != 'A' && command != 'I' &&
 			    command != 'D')
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 7214a767ffe96..412b5cccdc46a 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -640,7 +640,16 @@ int ebt_command_default(struct iptables_command_state *cs)
 			return 0;
 		}
 	}
-	return 1;
+	if (cs->c == ':')
+		xtables_error(PARAMETER_PROBLEM, "option \"%s\" "
+		              "requires an argument", cs->argv[optind - 1]);
+	if (cs->c == '?') {
+		char optoptstr[3] = {'-', optopt, '\0'};
+
+		xtables_error(PARAMETER_PROBLEM, "unknown option \"%s\"",
+			      optopt ? optoptstr : cs->argv[optind - 1]);
+	}
+	xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg);
 }
 
 int nft_init_eb(struct nft_handle *h, const char *pname)
@@ -1084,11 +1093,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table,
 			continue;
 		default:
 			ebt_check_inverse2(optarg, argc, argv);
-
-			if (ebt_command_default(&cs))
-				xtables_error(PARAMETER_PROBLEM,
-					      "Unknown argument: '%s'",
-					      argv[optind]);
+			ebt_command_default(&cs);
 
 			if (command != 'A' && command != 'I' &&
 			    command != 'D' && command != 'C' && command != 14)
-- 
2.38.0

[iptables PATCH 2/7] ebtables: Refuse unselected targets' options

[Phil Sutter]

Unlike legacy, ebtables-nft would allow e.g.:

| -t nat -A PREROUTING --to-dst fe:ed:00:00:ba:be

While the result is correct, it may mislead users into believing
multiple targets are possible per rule. Better follow legacy's behaviour
and reject target options unless they have been "enabled" by a previous
'-j' option.

To achieve this, one needs to distinguish targets from watchers also
attached to 'xtables_targets' and otherwise behaving like regular
matches. Introduce XTABLES_EXT_WATCHER to mark the two.

The above works already, but error messages are misleading when using
the now unsupported syntax since target options have been merged
already. Solve this by not pre-loading the targets at all, code will
just fall back to loading ad '-j' parsing time as iptables does.

Note how this also fixes for 'counter' statement being in wrong position
of ebtables-translate output.

Fixes: fe97f60e5d2a9 ("ebtables-compat: add watchers support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 extensions/libebt_dnat.txlate                 | 12 ++++----
 extensions/libebt_log.c                       |  1 +
 extensions/libebt_mark.txlate                 | 16 +++++-----
 extensions/libebt_nflog.c                     |  1 +
 extensions/libebt_snat.txlate                 |  8 ++---
 include/xtables.h                             |  1 +
 .../ebtables/0002-ebtables-save-restore_0     |  4 +--
 iptables/xtables-eb.c                         | 29 +++++++------------
 8 files changed, 33 insertions(+), 39 deletions(-)

diff --git a/extensions/libebt_dnat.txlate b/extensions/libebt_dnat.txlate
index 9f305c76c954f..531a22aa3e14f 100644
--- a/extensions/libebt_dnat.txlate
+++ b/extensions/libebt_dnat.txlate
@@ -1,8 +1,8 @@
-ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff
-nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff accept counter'
+ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff
+nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff accept'
 
-ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff --dnat-target ACCEPT
-nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff accept counter'
+ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff --dnat-target ACCEPT
+nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff accept'
 
-ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff --dnat-target CONTINUE
-nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff continue counter'
+ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff --dnat-target CONTINUE
+nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff continue'
diff --git a/extensions/libebt_log.c b/extensions/libebt_log.c
index 045062196d20d..9f8d158956802 100644
--- a/extensions/libebt_log.c
+++ b/extensions/libebt_log.c
@@ -197,6 +197,7 @@ static int brlog_xlate(struct xt_xlate *xl,
 static struct xtables_target brlog_target = {
 	.name		= "log",
 	.revision	= 0,
+	.ext_flags	= XTABLES_EXT_WATCHER,
 	.version	= XTABLES_VERSION,
 	.family		= NFPROTO_BRIDGE,
 	.size		= XT_ALIGN(sizeof(struct ebt_log_info)),
diff --git a/extensions/libebt_mark.txlate b/extensions/libebt_mark.txlate
index d006e8ac94008..4ace1a1f5cfde 100644
--- a/extensions/libebt_mark.txlate
+++ b/extensions/libebt_mark.txlate
@@ -1,11 +1,11 @@
-ebtables-translate -A INPUT --mark-set 42
-nft 'add rule bridge filter INPUT meta mark set 0x2a accept counter'
+ebtables-translate -A INPUT -j mark --mark-set 42
+nft 'add rule bridge filter INPUT counter meta mark set 0x2a accept'
 
-ebtables-translate -A INPUT --mark-or 42 --mark-target RETURN
-nft 'add rule bridge filter INPUT meta mark set meta mark or 0x2a return counter'
+ebtables-translate -A INPUT -j mark --mark-or 42 --mark-target RETURN
+nft 'add rule bridge filter INPUT counter meta mark set meta mark or 0x2a return'
 
-ebtables-translate -A INPUT --mark-and 42 --mark-target ACCEPT
-nft 'add rule bridge filter INPUT meta mark set meta mark and 0x2a accept counter'
+ebtables-translate -A INPUT -j mark --mark-and 42 --mark-target ACCEPT
+nft 'add rule bridge filter INPUT counter meta mark set meta mark and 0x2a accept'
 
-ebtables-translate -A INPUT --mark-xor 42 --mark-target DROP
-nft 'add rule bridge filter INPUT meta mark set meta mark xor 0x2a drop counter'
+ebtables-translate -A INPUT -j mark --mark-xor 42 --mark-target DROP
+nft 'add rule bridge filter INPUT counter meta mark set meta mark xor 0x2a drop'
diff --git a/extensions/libebt_nflog.c b/extensions/libebt_nflog.c
index 115e15da45845..762d6d5d8bbe2 100644
--- a/extensions/libebt_nflog.c
+++ b/extensions/libebt_nflog.c
@@ -146,6 +146,7 @@ static int brnflog_xlate(struct xt_xlate *xl,
 static struct xtables_target brnflog_watcher = {
 	.name		= "nflog",
 	.revision	= 0,
+	.ext_flags	= XTABLES_EXT_WATCHER,
 	.version	= XTABLES_VERSION,
 	.family		= NFPROTO_BRIDGE,
 	.size		= XT_ALIGN(sizeof(struct ebt_nflog_info)),
diff --git a/extensions/libebt_snat.txlate b/extensions/libebt_snat.txlate
index 857a6052aed1a..37343d3a14754 100644
--- a/extensions/libebt_snat.txlate
+++ b/extensions/libebt_snat.txlate
@@ -1,5 +1,5 @@
-ebtables-translate -t nat -A POSTROUTING -s 0:0:0:0:0:0 -o someport+ --to-source de:ad:00:be:ee:ff
-nft 'add rule bridge nat POSTROUTING oifname "someport*" ether saddr 00:00:00:00:00:00 ether saddr set de:ad:0:be:ee:ff accept counter'
+ebtables-translate -t nat -A POSTROUTING -s 0:0:0:0:0:0 -o someport+ -j snat --to-source de:ad:00:be:ee:ff
+nft 'add rule bridge nat POSTROUTING oifname "someport*" ether saddr 00:00:00:00:00:00 counter ether saddr set de:ad:0:be:ee:ff accept'
 
-ebtables-translate -t nat -A POSTROUTING -o someport --to-src de:ad:00:be:ee:ff --snat-target CONTINUE
-nft 'add rule bridge nat POSTROUTING oifname "someport" ether saddr set de:ad:0:be:ee:ff continue counter'
+ebtables-translate -t nat -A POSTROUTING -o someport -j snat --to-src de:ad:00:be:ee:ff --snat-target CONTINUE
+nft 'add rule bridge nat POSTROUTING oifname "someport" counter ether saddr set de:ad:0:be:ee:ff continue'
diff --git a/include/xtables.h b/include/xtables.h
index 4ffc8ec5a17e9..087a1d600f9ae 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -203,6 +203,7 @@ struct xtables_lmap {
 
 enum xtables_ext_flags {
 	XTABLES_EXT_ALIAS = 1 << 0,
+	XTABLES_EXT_WATCHER = 1 << 1,
 };
 
 struct xt_xlate;
diff --git a/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 b/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0
index 1091a4e80bebe..b4f9728bb9b6f 100755
--- a/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0
+++ b/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0
@@ -38,7 +38,7 @@ $XT_MULTI ebtables -A foo -p IPv6 --ip6-proto tcp -j ACCEPT
 
 $XT_MULTI ebtables -A foo --limit 100 --limit-burst 42 -j ACCEPT
 $XT_MULTI ebtables -A foo --log
-$XT_MULTI ebtables -A foo --mark-set 0x23 --mark-target ACCEPT
+$XT_MULTI ebtables -A foo -j mark --mark-set 0x23 --mark-target ACCEPT
 $XT_MULTI ebtables -A foo --nflog
 $XT_MULTI ebtables -A foo --pkttype-type multicast -j ACCEPT
 $XT_MULTI ebtables -A foo --stp-type config -j ACCEPT
@@ -53,7 +53,7 @@ $XT_MULTI ebtables -A FORWARD -j foo
 $XT_MULTI ebtables -N bar
 $XT_MULTI ebtables -P bar RETURN
 
-$XT_MULTI ebtables -t nat -A PREROUTING --redirect-target ACCEPT
+$XT_MULTI ebtables -t nat -A PREROUTING -j redirect --redirect-target ACCEPT
 #$XT_MULTI ebtables -t nat -A PREROUTING --to-src fe:ed:ba:be:00:01
 
 $XT_MULTI ebtables -t nat -A OUTPUT -j ACCEPT
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 412b5cccdc46a..3a73e79725489 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -468,14 +468,14 @@ static void ebt_load_match(const char *name)
 		xtables_error(OTHER_PROBLEM, "Can't alloc memory");
 }
 
-static void __ebt_load_watcher(const char *name, const char *typename)
+static void ebt_load_watcher(const char *name)
 {
 	struct xtables_target *watcher;
 	size_t size;
 
 	watcher = xtables_find_target(name, XTF_TRY_LOAD);
 	if (!watcher) {
-		fprintf(stderr, "Unable to load %s %s\n", name, typename);
+		fprintf(stderr, "Unable to load %s watcher\n", name);
 		return;
 	}
 
@@ -496,16 +496,6 @@ static void __ebt_load_watcher(const char *name, const char *typename)
 		xtables_error(OTHER_PROBLEM, "Can't alloc memory");
 }
 
-static void ebt_load_watcher(const char *name)
-{
-	return __ebt_load_watcher(name, "watcher");
-}
-
-static void ebt_load_target(const char *name)
-{
-	return __ebt_load_watcher(name, "target");
-}
-
 void ebt_load_match_extensions(void)
 {
 	opts = ebt_original_options;
@@ -522,13 +512,6 @@ void ebt_load_match_extensions(void)
 
 	ebt_load_watcher("log");
 	ebt_load_watcher("nflog");
-
-	ebt_load_target("mark");
-	ebt_load_target("dnat");
-	ebt_load_target("snat");
-	ebt_load_target("arpreply");
-	ebt_load_target("redirect");
-	ebt_load_target("standard");
 }
 
 void ebt_add_match(struct xtables_match *m,
@@ -633,6 +616,9 @@ int ebt_command_default(struct iptables_command_state *cs)
 
 	/* Is it a watcher option? */
 	for (t = xtables_targets; t; t = t->next) {
+		if (!(t->ext_flags & XTABLES_EXT_WATCHER))
+			continue;
+
 		if (t->parse &&
 		    t->parse(cs->c - t->option_offset, cs->argv,
 			     ebt_invert, &t->tflags, NULL, &t->t)) {
@@ -726,6 +712,11 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table,
 	optind = 0;
 	opterr = false;
 
+	for (t = xtables_targets; t; t = t->next) {
+		t->tflags = 0;
+		t->used = 0;
+	}
+
 	/* Getopt saves the day */
 	while ((c = getopt_long(argc, argv, EBT_OPTSTRING,
 					opts, NULL)) != -1) {
-- 
2.38.0

[iptables PATCH 3/7] ebtables-translate: Drop exec_style

[Phil Sutter]

Apply the changes from commit 816bd1fdecb63 ("ebtables-nft: remove
exec_style") to ebtables-translate, too.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/xtables-eb-translate.c | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c
index 0c35272051752..4db10ae6706a1 100644
--- a/iptables/xtables-eb-translate.c
+++ b/iptables/xtables-eb-translate.c
@@ -24,9 +24,6 @@
 /*
  * From include/ebtables_u.h
  */
-#define EXEC_STYLE_PRG    0
-#define EXEC_STYLE_DAEMON 1
-
 #define ebt_check_option2(flags, mask) EBT_CHECK_OPTION(flags, mask)
 
 extern int ebt_invert;
@@ -172,7 +169,6 @@ static int nft_rule_eb_xlate_add(struct nft_handle *h, const struct xt_cmd_parse
 	return ret;
 }
 
-/* We use exec_style instead of #ifdef's because ebtables.so is a shared object. */
 static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char **table)
 {
 	char *buffer;
@@ -187,7 +183,6 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
 	};
 	char command = 'h';
 	const char *chain = NULL;
-	int exec_style = EXEC_STYLE_PRG;
 	int selected_chain = -1;
 	struct xtables_rule_match *xtrm_i;
 	struct ebt_match *match;
@@ -292,9 +287,6 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
 			if (OPT_COMMANDS)
 				xtables_error(PARAMETER_PROBLEM,
 					      "Multiple commands are not allowed");
-			if (exec_style == EXEC_STYLE_DAEMON)
-				xtables_error(PARAMETER_PROBLEM,
-					      "%s %s", prog_name, prog_vers);
 			printf("%s %s\n", prog_name, prog_vers);
 			exit(0);
 		case 'h':
-- 
2.38.0

[iptables PATCH 4/7] ebtables-translate: Use OPT_* from xshared.h

[Phil Sutter]

Same as commit db420e268735e ("ebtables: Merge OPT_* flags with xshared
ones") but also introduce 'table_set' as a replacement for OPT_TABLE.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/xtables-eb-translate.c | 27 +++++++++------------------
 1 file changed, 9 insertions(+), 18 deletions(-)

diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c
index 4db10ae6706a1..49ae6f64a9741 100644
--- a/iptables/xtables-eb-translate.c
+++ b/iptables/xtables-eb-translate.c
@@ -68,19 +68,6 @@ static int parse_rule_number(const char *rule)
 /* Checks whether a command has already been specified */
 #define OPT_COMMANDS (flags & OPT_COMMAND || flags & OPT_ZERO)
 
-#define OPT_COMMAND	0x01
-#define OPT_TABLE	0x02
-#define OPT_IN		0x04
-#define OPT_OUT		0x08
-#define OPT_JUMP	0x10
-#define OPT_PROTOCOL	0x20
-#define OPT_SOURCE	0x40
-#define OPT_DEST	0x80
-#define OPT_ZERO	0x100
-#define OPT_LOGICALIN	0x200
-#define OPT_LOGICALOUT	0x400
-#define OPT_COUNT	0x1000 /* This value is also defined in libebtc.c */
-
 /* Default command line options. Do not mess around with the already
  * assigned numbers unless you know what you are doing */
 extern struct option ebt_original_options[];
@@ -189,6 +176,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
 	struct xt_cmd_parse p = {
 		.table          = *table,
         };
+	bool table_set = false;
 
 	/* prevent getopt to spoil our error reporting */
 	opterr = false;
@@ -299,13 +287,16 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
 			if (OPT_COMMANDS)
 				xtables_error(PARAMETER_PROBLEM,
 					      "Please put the -t option first");
-			ebt_check_option2(&flags, OPT_TABLE);
+			if (table_set)
+				xtables_error(PARAMETER_PROBLEM,
+					      "Multiple use of same option not allowed");
 			if (strlen(optarg) > EBT_TABLE_MAXNAMELEN - 1)
 				xtables_error(PARAMETER_PROBLEM,
 					      "Table name length cannot exceed %d characters",
 					      EBT_TABLE_MAXNAMELEN - 1);
 			*table = optarg;
 			p.table = optarg;
+			table_set = true;
 			break;
 		case 'i': /* Input interface */
 		case 2  : /* Logical input interface */
@@ -323,7 +314,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
 				xtables_error(PARAMETER_PROBLEM,
 					      "Command and option do not match");
 			if (c == 'i') {
-				ebt_check_option2(&flags, OPT_IN);
+				ebt_check_option2(&flags, OPT_VIANAMEIN);
 				if (selected_chain > 2 && selected_chain < NF_BR_BROUTING)
 					xtables_error(PARAMETER_PROBLEM,
 						      "Use -i only in INPUT, FORWARD, PREROUTING and BROUTING chains");
@@ -343,7 +334,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
 				ebtables_parse_interface(optarg, cs.eb.logical_in);
 				break;
 			} else if (c == 'o') {
-				ebt_check_option2(&flags, OPT_OUT);
+				ebt_check_option2(&flags, OPT_VIANAMEOUT);
 				if (selected_chain < 2 || selected_chain == NF_BR_BROUTING)
 					xtables_error(PARAMETER_PROBLEM,
 						      "Use -o only in OUTPUT, FORWARD and POSTROUTING chains");
@@ -378,7 +369,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
 				cs.eb.bitmask |= EBT_SOURCEMAC;
 				break;
 			} else if (c == 'd') {
-				ebt_check_option2(&flags, OPT_DEST);
+				ebt_check_option2(&flags, OPT_DESTINATION);
 				if (ebt_check_inverse2(optarg, argc, argv))
 					cs.eb.invflags |= EBT_IDEST;
 
@@ -389,7 +380,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
 				cs.eb.bitmask |= EBT_DESTMAC;
 				break;
 			} else if (c == 'c') {
-				ebt_check_option2(&flags, OPT_COUNT);
+				ebt_check_option2(&flags, OPT_COUNTERS);
 				if (ebt_check_inverse2(optarg, argc, argv))
 					xtables_error(PARAMETER_PROBLEM,
 						      "Unexpected '!' after -c");
-- 
2.38.0

[iptables PATCH 5/7] ebtables-translate: Ignore '-j CONTINUE'

[Phil Sutter]

It is default behaviour. Does not hurt here, but reducing diff to
xtables-eb.c can't hurt.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/xtables-eb-translate.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c
index 49ae6f64a9741..99347c0c3ee46 100644
--- a/iptables/xtables-eb-translate.c
+++ b/iptables/xtables-eb-translate.c
@@ -355,7 +355,9 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
 				break;
 			} else if (c == 'j') {
 				ebt_check_option2(&flags, OPT_JUMP);
-				command_jump(&cs, optarg);
+				if (strcmp(optarg, "CONTINUE") != 0) {
+					command_jump(&cs, optarg);
+				}
 				break;
 			} else if (c == 's') {
 				ebt_check_option2(&flags, OPT_SOURCE);
-- 
2.38.0

[iptables PATCH 6/7] ebtables-translate: Print flush command after parsing is finished

[Phil Sutter]

Otherwise, bad calls like 'ebtables-translate -F -F' produce wrong
output instead of an error message.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/xtables-eb-translate.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/iptables/xtables-eb-translate.c b/iptables/xtables-eb-translate.c
index 99347c0c3ee46..da7e5e3dda1f3 100644
--- a/iptables/xtables-eb-translate.c
+++ b/iptables/xtables-eb-translate.c
@@ -247,13 +247,6 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
 			ret = 1;
 			break;
 		case 'F': /* Flush */
-			if (p.chain) {
-				printf("flush chain bridge %s %s\n", p.table, p.chain);
-			} else {
-				printf("flush table bridge %s\n", p.table);
-			}
-			ret = 1;
-			break;
 		case 'Z': /* Zero counters */
 			if (c == 'Z') {
 				if ((flags & OPT_ZERO) || (flags & OPT_COMMAND && command != 'L'))
@@ -506,6 +499,13 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
 
 	if (command == 'P') {
 		return 0;
+	} else if (command == 'F') {
+			if (p.chain) {
+				printf("flush chain bridge %s %s\n", p.table, p.chain);
+			} else {
+				printf("flush table bridge %s\n", p.table);
+			}
+			ret = 1;
 	} else if (command == 'A') {
 		ret = nft_rule_eb_xlate_add(h, &p, &cs, true);
 		if (!ret)
-- 
2.38.0

[iptables PATCH 7/7] tests: xlate: Support testing multiple individual files

[Phil Sutter]

Simple use-case: run xlate-test for ebtables-nft:

| % ./xlate-test.py extensions/libebt_*.txlate

The script interpreted all parameters as a single file.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 xlate-test.py | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/xlate-test.py b/xlate-test.py
index 4cb1401b71677..1b544600aa242 100755
--- a/xlate-test.py
+++ b/xlate-test.py
@@ -241,17 +241,22 @@ xtables_nft_multi = 'xtables-nft-multi'
                             + '/iptables/' + xtables_nft_multi
 
     files = tests = passed = failed = errors = 0
-    if args.test:
-        if not args.test.endswith(".txlate"):
-            args.test += ".txlate"
+    for test in args.test:
+        if not test.endswith(".txlate"):
+            test += ".txlate"
         try:
-            with open(args.test, "r") as payload:
-                files = 1
-                tests, passed, failed, errors = run_test(args.test, payload)
+            with open(test, "r") as payload:
+                t, p, f, e = run_test(test, payload)
+                files += 1
+                tests += t
+                passed += p
+                failed += f
+                errors += e
         except IOError:
             print(red("Error: ") + "test file does not exist", file=sys.stderr)
             return 99
-    else:
+
+    if files == 0:
         files, tests, passed, failed, errors = load_test_files()
 
     if files > 1:
@@ -272,6 +277,6 @@ parser.add_argument('-n', '--nft', type=str, default='nft',
                     help='Replay using given nft binary (default: \'%(default)s\')')
 parser.add_argument('--no-netns', action='store_true',
                     help='Do not run testsuite in own network namespace')
-parser.add_argument("test", nargs="?", help="run only the specified test file")
+parser.add_argument("test", nargs="*", help="run only the specified test file(s)")
 args = parser.parse_args()
 sys.exit(main())
-- 
2.38.0

Re: [iptables PATCH 0/7] Small ebtables-translate review + extras

[Phil Sutter]

On Thu, Jan 26, 2023 at 01:23:59PM +0100, Phil Sutter wrote:
> The initial goal was to fix the apparent problem of ebtables-translate
> printing 'counter' statement in wrong position, namely after the
> verdict. Turns out this happened when targets were used "implicitly",
> i.e. without requesting them via '-j'. Since ebtables-nft loaded all
> extensions (including targets) upfront, a syntax like:
> 
> | # ebtables-nft -A FORWARD --mark-set 1
> 
> was accepted and valid. The 'mark' target in this case was added to
> iptables_command_state's 'match_list' as if it was a watcher.
> 
> Legacy ebtables does not allow this syntax, also it becomes hard for
> users to realize why two targets can't be used in the same rule. So
> reject this (in patch 2) and implicitly fix the case of 'counter'
> statement in wrong position.
> 
> Fixing the above caused some fallout: Patch 1 fixes error reporting of
> unknown arguments (or missing mandatory parameters) in all tools, patch
> 7 extends xlate-test.py to conveniently run for all libebt_*.txlate
> files (for instance).
> 
> The remaining patches 3 to 6 contain cleanups of xtables-eb-translate.c
> in comparison to xtables-eb.c, also kind of preparing for a merge of the
> two largely identical parsers (at least).
> 
> Phil Sutter (7):
>   Proper fix for "unknown argument" error message
>   ebtables: Refuse unselected targets' options
>   ebtables-translate: Drop exec_style
>   ebtables-translate: Use OPT_* from xshared.h
>   ebtables-translate: Ignore '-j CONTINUE'
>   ebtables-translate: Print flush command after parsing is finished
>   tests: xlate: Support testing multiple individual files

Series applied.