From e1ccd979e6849748578fad76475c688bdd16df0d Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Tue, 10 Sep 2019 23:10:59 +0200 Subject: ebtables: fix over-eager -o checks on custom chains Arturo reports ebtables-nft reports an error when -o is used in custom chains: -A MYCHAIN -o someif makes ebtables-nft exit with an error: "Use -o only in OUTPUT, FORWARD and POSTROUTING chains." Problem is that all the "-o" checks expect <= NF_BR_POST_ROUTING to mean "builtin", so -1 mistakenly leads to the checks being active. Reported-by: Arturo Borrero Gonzalez Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1347 Signed-off-by: Florian Westphal --- .../shell/testcases/ebtables/0005-ifnamechecks_0 | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100755 iptables/tests/shell/testcases/ebtables/0005-ifnamechecks_0 (limited to 'iptables/tests/shell/testcases/ebtables/0005-ifnamechecks_0') diff --git a/iptables/tests/shell/testcases/ebtables/0005-ifnamechecks_0 b/iptables/tests/shell/testcases/ebtables/0005-ifnamechecks_0 new file mode 100755 index 00000000..2163d364 --- /dev/null +++ b/iptables/tests/shell/testcases/ebtables/0005-ifnamechecks_0 @@ -0,0 +1,21 @@ +#!/bin/bash + +set -e + +# there is no legacy backend to test +[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + +EXPECT='*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +:PVEFW-FORWARD ACCEPT +:PVEFW-FWBR-OUT ACCEPT +-A FORWARD -j PVEFW-FORWARD +-A PVEFW-FORWARD -p IPv4 -j ACCEPT +-A PVEFW-FORWARD -p IPv6 -j ACCEPT +-A PVEFW-FORWARD -i fwln+ -j ACCEPT +-A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT' + +$XT_MULTI ebtables-restore <<<$EXPECT +exec diff -u <(echo -e "$EXPECT") <($XT_MULTI ebtables-save | grep -v '^#') -- cgit v1.2.3