diff options
author | Phil Sutter <phil@nwl.cc> | 2023-01-25 02:01:56 +0100 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2023-01-31 16:29:26 +0100 |
commit | 27d37863a486352511dac385bde8f3d20526be5b (patch) | |
tree | d977a53130907f2522eab24d062b879384578ff5 /iptables/xtables-eb.c | |
parent | d6eb6a9fd3878ce4fa01f8d4127f1735988bd07b (diff) |
ebtables: Refuse unselected targets' options
Unlike legacy, ebtables-nft would allow e.g.:
| -t nat -A PREROUTING --to-dst fe:ed:00:00:ba:be
While the result is correct, it may mislead users into believing
multiple targets are possible per rule. Better follow legacy's behaviour
and reject target options unless they have been "enabled" by a previous
'-j' option.
To achieve this, one needs to distinguish targets from watchers also
attached to 'xtables_targets' and otherwise behaving like regular
matches. Introduce XTABLES_EXT_WATCHER to mark the two.
The above works already, but error messages are misleading when using
the now unsupported syntax since target options have been merged
already. Solve this by not pre-loading the targets at all, code will
just fall back to loading ad '-j' parsing time as iptables does.
Note how this also fixes for 'counter' statement being in wrong position
of ebtables-translate output.
Fixes: fe97f60e5d2a9 ("ebtables-compat: add watchers support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables/xtables-eb.c')
-rw-r--r-- | iptables/xtables-eb.c | 29 |
1 files changed, 10 insertions, 19 deletions
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index 412b5ccc..3a73e797 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -468,14 +468,14 @@ static void ebt_load_match(const char *name) xtables_error(OTHER_PROBLEM, "Can't alloc memory"); } -static void __ebt_load_watcher(const char *name, const char *typename) +static void ebt_load_watcher(const char *name) { struct xtables_target *watcher; size_t size; watcher = xtables_find_target(name, XTF_TRY_LOAD); if (!watcher) { - fprintf(stderr, "Unable to load %s %s\n", name, typename); + fprintf(stderr, "Unable to load %s watcher\n", name); return; } @@ -496,16 +496,6 @@ static void __ebt_load_watcher(const char *name, const char *typename) xtables_error(OTHER_PROBLEM, "Can't alloc memory"); } -static void ebt_load_watcher(const char *name) -{ - return __ebt_load_watcher(name, "watcher"); -} - -static void ebt_load_target(const char *name) -{ - return __ebt_load_watcher(name, "target"); -} - void ebt_load_match_extensions(void) { opts = ebt_original_options; @@ -522,13 +512,6 @@ void ebt_load_match_extensions(void) ebt_load_watcher("log"); ebt_load_watcher("nflog"); - - ebt_load_target("mark"); - ebt_load_target("dnat"); - ebt_load_target("snat"); - ebt_load_target("arpreply"); - ebt_load_target("redirect"); - ebt_load_target("standard"); } void ebt_add_match(struct xtables_match *m, @@ -633,6 +616,9 @@ int ebt_command_default(struct iptables_command_state *cs) /* Is it a watcher option? */ for (t = xtables_targets; t; t = t->next) { + if (!(t->ext_flags & XTABLES_EXT_WATCHER)) + continue; + if (t->parse && t->parse(cs->c - t->option_offset, cs->argv, ebt_invert, &t->tflags, NULL, &t->t)) { @@ -726,6 +712,11 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, optind = 0; opterr = false; + for (t = xtables_targets; t; t = t->next) { + t->tflags = 0; + t->used = 0; + } + /* Getopt saves the day */ while ((c = getopt_long(argc, argv, EBT_OPTSTRING, opts, NULL)) != -1) { |