diff options
author | Adel Belhouane <bugs.a.b@free.fr> | 2019-07-26 09:24:37 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2019-07-29 02:34:56 +0200 |
commit | d76475ce1c30f6c3e3f3ca85964bdfc4425acb81 (patch) | |
tree | bb4eda4785484cc4be59c16b36fe51d1e91c62ce /iptables/tests/shell/testcases | |
parent | b1b24aec274728c5ceb914fc4511828432c3fbed (diff) |
restore legacy behaviour of iptables-restore when rules start with -4/-6
v2: moved examples to testcase files
Legacy implementation of iptables-restore / ip6tables-restore allowed
to insert a -4 or -6 option at start of a rule line to ignore it if not
matching the command's protocol. This allowed to mix specific ipv4 and
ipv6 rules in a single file, as still described in iptables 1.8.3's man
page in options -4 and -6. The implementation over nftables doesn't behave
correctly in this case: iptables-nft-restore accepts both -4 or -6 lines
and ip6tables-nft-restore throws an error on -4.
There's a distribution bug report mentioning this problem:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925343
Restore the legacy behaviour:
- let do_parse() return and thus not add a command in those restore
special cases
- let do_commandx() ignore CMD_NONE instead of bailing out
I didn't attempt to fix all minor anomalies, but just to fix the
regression. For example in the line below, iptables should throw an error
instead of accepting -6 and then adding it as ipv4:
% iptables-nft -6 -A INPUT -p tcp -j ACCEPT
Signed-off-by: Adel Belhouane <bugs.a.b@free.fr>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'iptables/tests/shell/testcases')
-rwxr-xr-x | iptables/tests/shell/testcases/ipt-restore/0005-ipt-6_0 | 26 | ||||
-rwxr-xr-x | iptables/tests/shell/testcases/ipt-restore/0006-ip6t-4_0 | 26 |
2 files changed, 52 insertions, 0 deletions
diff --git a/iptables/tests/shell/testcases/ipt-restore/0005-ipt-6_0 b/iptables/tests/shell/testcases/ipt-restore/0005-ipt-6_0 new file mode 100755 index 00000000..dd069771 --- /dev/null +++ b/iptables/tests/shell/testcases/ipt-restore/0005-ipt-6_0 @@ -0,0 +1,26 @@ +#!/bin/bash + +# Make sure iptables-restore simply ignores +# rules starting with -6 + +set -e + +# show rules, drop uninteresting policy settings +ipt_show() { + $XT_MULTI iptables -S | grep -v '^-P' +} + +# issue reproducer for iptables-restore + +$XT_MULTI iptables-restore <<EOF +*filter +-A FORWARD -m comment --comment any -j ACCEPT +-4 -A FORWARD -m comment --comment ipv4 -j ACCEPT +-6 -A FORWARD -m comment --comment ipv6 -j ACCEPT +COMMIT +EOF + +EXPECT='-A FORWARD -m comment --comment any -j ACCEPT +-A FORWARD -m comment --comment ipv4 -j ACCEPT' + +diff -u -Z <(echo -e "$EXPECT") <(ipt_show) diff --git a/iptables/tests/shell/testcases/ipt-restore/0006-ip6t-4_0 b/iptables/tests/shell/testcases/ipt-restore/0006-ip6t-4_0 new file mode 100755 index 00000000..a37253a9 --- /dev/null +++ b/iptables/tests/shell/testcases/ipt-restore/0006-ip6t-4_0 @@ -0,0 +1,26 @@ +#!/bin/bash + +# Make sure ip6tables-restore simply ignores +# rules starting with -4 + +set -e + +# show rules, drop uninteresting policy settings +ipt_show() { + $XT_MULTI ip6tables -S | grep -v '^-P' +} + +# issue reproducer for ip6tables-restore + +$XT_MULTI ip6tables-restore <<EOF +*filter +-A FORWARD -m comment --comment any -j ACCEPT +-4 -A FORWARD -m comment --comment ipv4 -j ACCEPT +-6 -A FORWARD -m comment --comment ipv6 -j ACCEPT +COMMIT +EOF + +EXPECT='-A FORWARD -m comment --comment any -j ACCEPT +-A FORWARD -m comment --comment ipv6 -j ACCEPT' + +diff -u -Z <(echo -e "$EXPECT") <(ipt_show) |