[iptables PATCH 1/3] arptables: Fix formatting of numeric --h-type output

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [iptables PATCH 1/3] arptables: Fix formatting of numeric --h-type output
@ 2023-11-08  3:31 Phil Sutter
  2023-11-08  3:31 ` [iptables PATCH 2/3] arptables: Fix --proto-type mask formatting Phil Sutter
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Phil Sutter @ 2023-11-08  3:31 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

Arptables expects numeric arguments to --h-type option in hexadecimal
form, even if no '0x'-prefix is present. In contrast, it prints such
values in decimal. This is not just inconsistent, but makes it
impossible to save and later restore a ruleset without fixing up the
values in between.

Assuming that the parser side can't be changed for compatibility
reasons, fix the output side instead.

This is a day 1 bug and present in legacy arptables as well, so treat
this as a "feature" of arptables-nft and omit a Fixes: tag.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 extensions/libarpt_standard.t | 4 +++-
 iptables/nft-arp.c            | 4 ++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/extensions/libarpt_standard.t b/extensions/libarpt_standard.t
index 007fa2b8335e8..a2b0a36a4a6bf 100644
--- a/extensions/libarpt_standard.t
+++ b/extensions/libarpt_standard.t
@@ -13,4 +13,6 @@
 --source-mac Unicast;--src-mac 00:00:00:00:00:00/01:00:00:00:00:00;OK
 ! --src-mac Multicast;! --src-mac 01:00:00:00:00:00/01:00:00:00:00:00;OK
 --src-mac=01:02:03:04:05:06 --dst-mac=07:08:09:0A:0B:0C --h-length=6 --opcode=Request --h-type=Ethernet --proto-type=ipv4;--src-mac 01:02:03:04:05:06 --dst-mac 07:08:09:0a:0b:0c --opcode 1 --proto-type 0x800;OK
---src-mac ! 01:02:03:04:05:06 --dst-mac ! 07:08:09:0A:0B:0C --h-length ! 6 --opcode ! Request --h-type ! Ethernet --proto-type ! ipv4;! --src-mac 01:02:03:04:05:06 ! --dst-mac 07:08:09:0a:0b:0c ! --h-length 6 ! --opcode 1 ! --h-type 1 ! --proto-type 0x800;OK
+--src-mac ! 01:02:03:04:05:06 --dst-mac ! 07:08:09:0A:0B:0C --h-length ! 6 --opcode ! Request --h-type ! Ethernet --proto-type ! ipv4;! --src-mac 01:02:03:04:05:06 ! --dst-mac 07:08:09:0a:0b:0c ! --h-length 6 ! --opcode 1 ! --h-type 0x1 ! --proto-type 0x800;OK
+--h-type 10;--h-type 0x10;OK
+--h-type 0x10;=;OK
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 8521cc4f15c1d..83aec5003004e 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -323,9 +323,9 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
 		if (tmp == 1 && !(format & FMT_NUMERIC))
 			printf("--h-type %s", "Ethernet");
 		else
-			printf("--h-type %u", tmp);
+			printf("--h-type 0x%x", tmp);
 		if (fw->arp.arhrd_mask != 65535)
-			printf("/%d", ntohs(fw->arp.arhrd_mask));
+			printf("/0x%x", ntohs(fw->arp.arhrd_mask));
 		sep = " ";
 	}
 
-- 
2.41.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [iptables PATCH 2/3] arptables: Fix --proto-type mask formatting
  2023-11-08  3:31 [iptables PATCH 1/3] arptables: Fix formatting of numeric --h-type output Phil Sutter
@ 2023-11-08  3:31 ` Phil Sutter
  2023-11-08  3:31 ` [iptables PATCH 3/3] extensions: libarpt_standard.t: Add a rule with builtin option masks Phil Sutter
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Phil Sutter @ 2023-11-08  3:31 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

Arptables accepts numeric --proto-type values and masks in any numeral
system identified by (absence of) prefix. Yet it prints the mask value
in hex without '0x'-prefix, breaking save and restore the same way
numeric --h-type output did.

In theory, this could be fixed either by adding the missing prefix or
printing the mask in decimal (like most other builtin matches do), but
since the value is printed in hex with prefix already, align mask output
with that.

Also a day 1 bug and consistent with legacy, so no Fixes: tag here as
well.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 extensions/libarpt_standard.t | 4 ++++
 iptables/nft-arp.c            | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/extensions/libarpt_standard.t b/extensions/libarpt_standard.t
index a2b0a36a4a6bf..b9a3560660372 100644
--- a/extensions/libarpt_standard.t
+++ b/extensions/libarpt_standard.t
@@ -16,3 +16,7 @@
 --src-mac ! 01:02:03:04:05:06 --dst-mac ! 07:08:09:0A:0B:0C --h-length ! 6 --opcode ! Request --h-type ! Ethernet --proto-type ! ipv4;! --src-mac 01:02:03:04:05:06 ! --dst-mac 07:08:09:0a:0b:0c ! --h-length 6 ! --opcode 1 ! --h-type 0x1 ! --proto-type 0x800;OK
 --h-type 10;--h-type 0x10;OK
 --h-type 0x10;=;OK
+--proto-type 10;--proto-type 0xa;OK
+--proto-type 10/10;--proto-type 0xa/0xa;OK
+--proto-type 0x10;=;OK
+--proto-type 0x10/0x10;=;OK
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 83aec5003004e..38b2ab3993128 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -339,7 +339,7 @@ static void nft_arp_print_rule_details(const struct iptables_command_state *cs,
 		else
 			printf("--proto-type 0x%x", tmp);
 		if (fw->arp.arpro_mask != 65535)
-			printf("/%x", ntohs(fw->arp.arpro_mask));
+			printf("/0x%x", ntohs(fw->arp.arpro_mask));
 		sep = " ";
 	}
 }
-- 
2.41.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [iptables PATCH 3/3] extensions: libarpt_standard.t: Add a rule with builtin option masks
  2023-11-08  3:31 [iptables PATCH 1/3] arptables: Fix formatting of numeric --h-type output Phil Sutter
  2023-11-08  3:31 ` [iptables PATCH 2/3] arptables: Fix --proto-type mask formatting Phil Sutter
@ 2023-11-08  3:31 ` Phil Sutter
  2023-11-08  9:13 ` [iptables PATCH 1/3] arptables: Fix formatting of numeric --h-type output Florian Westphal
  2023-11-09 14:56 ` Phil Sutter
  3 siblings, 0 replies; 5+ messages in thread
From: Phil Sutter @ 2023-11-08  3:31 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

Just some random values in hope this starts failing if masks support
changes or breaks.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 extensions/libarpt_standard.t | 1 +
 1 file changed, 1 insertion(+)

diff --git a/extensions/libarpt_standard.t b/extensions/libarpt_standard.t
index b9a3560660372..153540903f786 100644
--- a/extensions/libarpt_standard.t
+++ b/extensions/libarpt_standard.t
@@ -20,3 +20,4 @@
 --proto-type 10/10;--proto-type 0xa/0xa;OK
 --proto-type 0x10;=;OK
 --proto-type 0x10/0x10;=;OK
+--h-length 6/15 --opcode 1/235 --h-type 0x8/0xcf --proto-type 0x800/0xde00;=;OK
-- 
2.41.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [iptables PATCH 1/3] arptables: Fix formatting of numeric --h-type output
  2023-11-08  3:31 [iptables PATCH 1/3] arptables: Fix formatting of numeric --h-type output Phil Sutter
  2023-11-08  3:31 ` [iptables PATCH 2/3] arptables: Fix --proto-type mask formatting Phil Sutter
  2023-11-08  3:31 ` [iptables PATCH 3/3] extensions: libarpt_standard.t: Add a rule with builtin option masks Phil Sutter
@ 2023-11-08  9:13 ` Florian Westphal
  2023-11-09 14:56 ` Phil Sutter
  3 siblings, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2023-11-08  9:13 UTC (permalink / raw)
  To: Phil Sutter; +Cc: Florian Westphal, netfilter-devel

Phil Sutter <phil@nwl.cc> wrote:
> Arptables expects numeric arguments to --h-type option in hexadecimal
> form, even if no '0x'-prefix is present. In contrast, it prints such
> values in decimal. This is not just inconsistent, but makes it
> impossible to save and later restore a ruleset without fixing up the
> values in between.
> 
> Assuming that the parser side can't be changed for compatibility
> reasons, fix the output side instead.
> 
> This is a day 1 bug and present in legacy arptables as well, so treat
> this as a "feature" of arptables-nft and omit a Fixes: tag.

Acked-by: Florian Westphal <fw@strlen.de>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [iptables PATCH 1/3] arptables: Fix formatting of numeric --h-type output
  2023-11-08  3:31 [iptables PATCH 1/3] arptables: Fix formatting of numeric --h-type output Phil Sutter
                   ` (2 preceding siblings ...)
  2023-11-08  9:13 ` [iptables PATCH 1/3] arptables: Fix formatting of numeric --h-type output Florian Westphal
@ 2023-11-09 14:56 ` Phil Sutter
  3 siblings, 0 replies; 5+ messages in thread
From: Phil Sutter @ 2023-11-09 14:56 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel

On Wed, Nov 08, 2023 at 04:31:28AM +0100, Phil Sutter wrote:
> Arptables expects numeric arguments to --h-type option in hexadecimal
> form, even if no '0x'-prefix is present. In contrast, it prints such
> values in decimal. This is not just inconsistent, but makes it
> impossible to save and later restore a ruleset without fixing up the
> values in between.
> 
> Assuming that the parser side can't be changed for compatibility
> reasons, fix the output side instead.
> 
> This is a day 1 bug and present in legacy arptables as well, so treat
> this as a "feature" of arptables-nft and omit a Fixes: tag.
> 
> Signed-off-by: Phil Sutter <phil@nwl.cc>

Series applied.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2023-11-09 14:56 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-11-08  3:31 [iptables PATCH 1/3] arptables: Fix formatting of numeric --h-type output Phil Sutter
2023-11-08  3:31 ` [iptables PATCH 2/3] arptables: Fix --proto-type mask formatting Phil Sutter
2023-11-08  3:31 ` [iptables PATCH 3/3] extensions: libarpt_standard.t: Add a rule with builtin option masks Phil Sutter
2023-11-08  9:13 ` [iptables PATCH 1/3] arptables: Fix formatting of numeric --h-type output Florian Westphal
2023-11-09 14:56 ` Phil Sutter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).