summaryrefslogtreecommitdiffstats
path: root/libebtc.c
Commit message (Collapse)AuthorAgeFilesLines
* libebtc: fix malloc usageHEADmasterFlorian Westphal2021-09-301-36/+24
| | | | | | | | | | | | | Rule insertion may fail on systems where libc doesn't provided zeroed memory via malloc (which is legal). IOW, this was never guaranteed to work correctly. Add a xzalloc wrapper to do error checking and zeroing and then use it in libebtc. Reported-and-tested-by: Senthil Kumar Balasubramanian <senthilb@qubercomm.com> Diagnosed-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libebtc: Fix an issue that '--concurrent' doesn't work with NFSFiro Yang2021-04-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | Due to the following commit[1] from kernel, if '/var/lib/ebtables' was mounted with a NFS filesystem, ebtables command will hit the following error: mount | grep nfs x.x.x.x:/var/lib/ebtables on /var/lib/ebtables type nfs4 [...] /usr/sbin/ebtables --concurrent -L Trying to obtain lock /var/lib/ebtables/lock Trying to obtain lock /var/lib/ebtables/lock Trying to obtain lock /var/lib/ebtables/lock Trying to obtain lock /var/lib/ebtables/lock [...] In order to fix this problem, add 'O_WRONLY' to match the requirement of that kernel commit[1]. [1]: 55725513b5ef ("NFSv4: Ensure that we check lock exclusive/shared type against open modes") Signed-off-by: Firo Yang <firo.yang@suse.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libebtc: Open the lockfile with O_CLOEXECOndrej Mosnacek2021-02-171-1/+1
| | | | | | | | | | Otherwise the fd will leak to subprocesses (e.g. modprobe). That's mostly benign, but it may trigger an SELinux denial when the modprobe process transitions to another domain. Fixes: 8b5594d7c21f ("add logic to support the --concurrent option: use a file lock to support concurrent scripts running ebtables") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Fix segfault with missing lockfile directoryPhil Sutter2019-04-091-1/+2
| | | | | | | | | | Apparently, dirname() modifies the buffer passed to it. Given a read-only location, this leads to a segfault. Use a buffer initialized (and tailored) to the content of LOCKFILE macro at compile-time instead. Fixes: f45756c1ca3b5 ("Allow customizing lockfile location at configure time") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* Allow customizing lockfile location at configure timePhil Sutter2019-04-031-5/+2
| | | | | | | | | | | | | | Users may pass LOCKFILE=/some/path/to/file when calling configure to make libebtc use that path for its lockfile. To simplify things, drop LOCKDIR completely and instead call dirname() when trying to create the parent directory. Given that we always define LOCKFILE via compiler flag, drop the fallback define from libebtc.c. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: Add string filter to ebtablesBernie Harris2018-04-271-1/+5
| | | | | | | | | | | | | | | | | | | | This patch is part of a proposal to add a string filter to ebtables, which would be similar to the string filter in iptables. Like iptables, the ebtables filter uses the xt_string module, however some modifications have been made for this to work correctly. Currently ebtables assumes that the revision number of all match modules is 0. The xt_string module doesn't register a match with revision 0 so the solution is to modify ebtables to allow extensions to specify a revision number, similar to iptables. This gets passed down to the kernel, which is then able to find the match module correctly. Signed-off-by: Bernie Harris <bernie.harris@alliedtelesis.co.nz> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Fix locking if LOCKDIR does not existPhil Sutter2018-01-171-4/+10
| | | | | | | | | | | The previous conversion to using flock() missed a crucial bit of code which tries to create LOCKDIR once in case opening the lock failed - This patch reestablishes the old behaviour. Reported-by: Tangchen (UVP) <tang.chen@huawei.com> Fixes: 6a826591878db ("Use flock() for --concurrent option") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Use flock() for --concurrent optionPhil Sutter2017-10-241-44/+5
| | | | | | | | | | | | | | The previous locking mechanism was not atomic, hence it was possible that a killed ebtables process would leave the lock file in place which in turn made future ebtables processes wait indefinitely for the lock to become free. Fix this by using flock(). This also simplifies code quite a bit because there is no need for a custom signal handler or an __exit routine anymore. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ebtables: Allow RETURN target rules in user defined chainsAlin Năstac2015-10-281-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | During loop checking ebtables marks entries with '1 << NF_BR_NUMHOOKS' if they're called from a base chain rather than a user defined chain. This can be used by ebtables targets that can encode a special return value to bail out if e.g. RETURN is used from a base chain. Unfortunately, this is broken, since the '1 << NF_BR_NUMHOOKS' is also copied to called user-defined-chains (i.e., a user defined chain can no longer be distinguished from a base chain): root@OpenWrt:~# ebtables -N foo root@OpenWrt:~# ebtables -A OUTPUT -j foo root@OpenWrt:~# ebtables -A foo -j mark --mark-or 3 --mark-target RETURN --mark-target RETURN not allowed on base chain. This works if -A OUTPUT -j foo is omitted, but will still appear if we try to call foo from OUTPUT afterwards. After this patch we still reject '-A OUTPUT -j mark .. --mark-target RETURN'. Signed-off-by: Florian Westphal <fw@strlen.de>
* remove compile warning, conditionally define LOCKFILEBart De Schuymer2011-07-101-0/+4
|
* fix use-after-free issue found by Coverity static analysis (thanks to Jiri ↵Bart De Schuymer2011-06-231-2/+2
| | | | Popelka)
* add logic to support the --concurrent option: use a file lock to support ↵Bart De Schuymer2011-06-191-0/+67
| | | | concurrent scripts running ebtables
* speedup checking for loopsBart De Schuymer2007-02-111-2/+5
|
* fix -X bugBart De Schuymer2006-07-311-8/+11
|
* bugfixBart De Schuymer2006-07-281-1/+1
|
* init hook_mask when no udcBart De Schuymer2006-01-231-4/+6
|
* send bug messages to stderrBart De Schuymer2005-11-091-3/+3
|
* fix -DBart De Schuymer2005-10-241-1/+4
|
* minor changesBart De Schuymer2005-10-011-11/+0
|
* cleanupBart De Schuymer2005-09-281-2/+2
|
* bugfixBart De Schuymer2005-09-011-0/+1
|
* bugfixBart De Schuymer2005-08-301-5/+5
|
* put rules in doubly linked listBart De Schuymer2005-08-281-49/+51
|
* put reference to cc in each entryBart De Schuymer2005-08-281-196/+75
|
* make array of chainsBart De Schuymer2005-08-271-245/+106
|
* trivial cleanupsBart De Schuymer2005-08-121-2/+8
|
* cleanupBart De Schuymer2005-07-161-27/+24
|
* more cleanupBart De Schuymer2005-03-281-68/+57
|
* complete -c and -C implementationBart De Schuymer2005-02-141-16/+37
|
* general cleanup + add -C and -cBart De Schuymer2005-02-081-27/+94
|
* add '.' after messagesBart De Schuymer2005-01-241-1/+1
|
* really zero countersBart De Schuymer2005-01-241-0/+24
|
* add new counter schemeBart De Schuymer2005-01-231-0/+1
|
* add ebtablesu scheme, along with general cleanupBart De Schuymer2005-01-191-314/+221
|
* Fix problem with udcBart De Schuymer2004-12-161-1/+1
|
* gcc doesn't like a label at the end.. tssBart De Schuymer2004-09-091-1/+1
|
* add shared librariesBart De Schuymer2004-01-211-43/+69
|
* ebtables library functionsBart De Schuymer2004-01-141-0/+1499