From aff1162b3e4b7ef805425a40306044c7d7dddc67 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Thu, 7 Feb 2019 22:08:55 +0100 Subject: ebtables-nft: Support user-defined chain policies Legacy ebtables supports policies for user-defined chains - and what's worse, they default to ACCEPT unlike anywhere else. So lack of support for this braindead feature in ebtables-nft is actually a change of behaviour which very likely affects all ebtables users out there. The solution implemented here uses an implicit (and transparent) last rule in all user-defined ebtables-nft chains with policy other than RETURN. This rule is identified by an nft comment "XTABLES_EB_INTERNAL_POLICY_RULE" (since commit ccf154d7420c0 ("xtables: Don't use native nftables comments") nft comments are not used otherwise). To minimize interference with existing code, this policy rule is removed from chains during cache population and the policy is saved in NFTNL_CHAIN_POLICY attribute. When committing changes to the kernel, nft_commit() traverses through the list of chains and (re-)creates policy rules if required. In ebtables-nft-restore, table flushes are problematic. To avoid weird kernel error responses, introduce a custom 'table_flush' callback which removes any pending policy rule add/remove jobs prior to creating the NFT_COMPAT_TABLE_FLUSH one. I've hidden all this mess behind checks for h->family, so hopefully impact on {ip,ip6,arp}tables-nft should be negligible. Signed-off-by: Phil Sutter Acked-by: Pablo Neira Ayuso Signed-off-by: Florian Westphal --- iptables/nft.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'iptables/nft.h') diff --git a/iptables/nft.h b/iptables/nft.h index 0726923a..56dc2076 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -137,6 +137,7 @@ uint32_t nft_invflags2cmp(uint32_t invflags, uint32_t flag); */ int nft_commit(struct nft_handle *h); int nft_abort(struct nft_handle *h); +int nft_abort_policy_rule(struct nft_handle *h, const char *table); /* * revision compatibility. @@ -203,4 +204,7 @@ void nft_rule_to_arpt_entry(struct nftnl_rule *r, struct arpt_entry *fw); bool nft_is_table_compatible(struct nft_handle *h, const char *name); +int ebt_set_user_chain_policy(struct nft_handle *h, const char *table, + const char *chain, const char *policy); + #endif -- cgit v1.2.3