diff options
| author | Phil Sutter <phil@nwl.cc> | 2022-03-04 12:50:01 +0100 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2022-03-17 09:56:18 +0100 |
| commit | ac4c84cc63d3cc021ca532692885a644fcde4518 (patch) | |
| tree | 9d1eaa5a94948ca1d40041f42290d1f6aec2f7b4 | |
| parent | f58b0d7406451afbb4b9b6c7888990c964fa7c79 (diff) | |
libxtables: Boost rule target checks by announcing chain names
When restoring a ruleset, feed libxtables with chain names from
respective lines to avoid an extension search.
While the user's intention is clear, this effectively disables the
sanity check for clashes with target extensions. But:
* The check yielded only a warning and the clashing chain was finally
accepted.
* Users crafting iptables dumps for feeding into iptables-restore likely
know what they're doing.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
| -rw-r--r-- | include/xtables.h | 3 | ||||
| -rw-r--r-- | iptables/iptables-restore.c | 1 | ||||
| -rw-r--r-- | iptables/xtables-restore.c | 1 | ||||
| -rw-r--r-- | libxtables/xtables.c | 6 |
4 files changed, 11 insertions, 0 deletions
diff --git a/include/xtables.h b/include/xtables.h index 044f191f..84369dac 100644 --- a/include/xtables.h +++ b/include/xtables.h @@ -654,6 +654,9 @@ const char *xt_xlate_get(struct xt_xlate *xl); #define xt_xlate_rule_get xt_xlate_get const char *xt_xlate_set_get(struct xt_xlate *xl); +/* informed target lookups */ +void xtables_announce_chain(const char *name); + #ifdef XTABLES_INTERNAL /* Shipped modules rely on this... */ diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c index d8f65ce1..4410a587 100644 --- a/iptables/iptables-restore.c +++ b/iptables/iptables-restore.c @@ -308,6 +308,7 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb, cb->ops->strerror(errno)); } + xtables_announce_chain(chain); ret = 1; } else if (in_table) { diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c index b70a3cb1..1363f96a 100644 --- a/iptables/xtables-restore.c +++ b/iptables/xtables-restore.c @@ -155,6 +155,7 @@ static void xtables_restore_parse_line(struct nft_handle *h, "%s: line %u chain name invalid\n", xt_params->program_name, line); + xtables_announce_chain(chain); assert_valid_chain_name(chain); policy = strtok(NULL, " \t\n"); diff --git a/libxtables/xtables.c b/libxtables/xtables.c index 06090727..96fd783a 100644 --- a/libxtables/xtables.c +++ b/libxtables/xtables.c @@ -321,6 +321,12 @@ static void notargets_hlist_insert(const char *name) hlist_add_head(&cur->node, ¬argets[djb_hash(name) % NOTARGET_HSIZE]); } +void xtables_announce_chain(const char *name) +{ + if (!notargets_hlist_lookup(name)) + notargets_hlist_insert(name); +} + void xtables_init(void) { /* xtables cannot be used with setuid in a safe way. */ |