diff options
-rw-r--r-- | extensions/libebt_standard.t | 17 | ||||
-rwxr-xr-x | iptables/tests/shell/testcases/ebtables/0005-ifnamechecks_0 | 21 | ||||
-rw-r--r-- | iptables/xtables-eb.c | 5 |
3 files changed, 41 insertions, 2 deletions
diff --git a/extensions/libebt_standard.t b/extensions/libebt_standard.t index 0d678fb2..c6c31727 100644 --- a/extensions/libebt_standard.t +++ b/extensions/libebt_standard.t @@ -9,3 +9,20 @@ -p ! ARP -j ACCEPT;=;OK -p 0 -j ACCEPT;=;FAIL -p ! 0 -j ACCEPT;=;FAIL +:INPUT +-i foobar;=;OK +-o foobar;=;FAIL +:FORWARD +-i foobar;=;OK +-o foobar;=;OK +:OUTPUT +-i foobar;=;FAIL +-o foobar;=;OK +:PREROUTING +*nat +-i foobar;=;OK +-o foobar;=;FAIL +:POSTROUTING +*nat +-i foobar;=;FAIL +-o foobar;=;OK diff --git a/iptables/tests/shell/testcases/ebtables/0005-ifnamechecks_0 b/iptables/tests/shell/testcases/ebtables/0005-ifnamechecks_0 new file mode 100755 index 00000000..2163d364 --- /dev/null +++ b/iptables/tests/shell/testcases/ebtables/0005-ifnamechecks_0 @@ -0,0 +1,21 @@ +#!/bin/bash + +set -e + +# there is no legacy backend to test +[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + +EXPECT='*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +:PVEFW-FORWARD ACCEPT +:PVEFW-FWBR-OUT ACCEPT +-A FORWARD -j PVEFW-FORWARD +-A PVEFW-FORWARD -p IPv4 -j ACCEPT +-A PVEFW-FORWARD -p IPv6 -j ACCEPT +-A PVEFW-FORWARD -i fwln+ -j ACCEPT +-A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT' + +$XT_MULTI ebtables-restore <<<$EXPECT +exec diff -u <(echo -e "$EXPECT") <($XT_MULTI ebtables-save | grep -v '^#') diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index 121ecbec..3b03daef 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -197,7 +197,8 @@ int ebt_get_current_chain(const char *chain) else if (strcmp(chain, "POSTROUTING") == 0) return NF_BR_POST_ROUTING; - return -1; + /* placeholder for user defined chain */ + return NF_BR_NUMHOOKS; } /* @@ -1223,7 +1224,7 @@ print_zero: cs.eb.ethproto = htons(cs.eb.ethproto); if (command == 'P') { - if (selected_chain < 0) { + if (selected_chain >= NF_BR_NUMHOOKS) { ret = ebt_set_user_chain_policy(h, *table, chain, policy); } else { if (strcmp(policy, "RETURN") == 0) { |