diff options
author | Phil Sutter <phil@nwl.cc> | 2018-10-31 20:13:34 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-11-01 00:20:59 +0100 |
commit | 8c918db6a7afc171fb2baf9c20ec6385940d2bfc (patch) | |
tree | f1e73f88fee1c5d19c303964988058fa42e56ad3 | |
parent | b2fc2a368562d55fadad94d995247bb8cd7e68a3 (diff) |
xtables: Fix for matching rules with wildcard interfaces
Due to xtables_parse_interface() and parse_ifname() being misaligned
regarding interface mask setting, rules containing a wildcard interface
added with iptables-nft could neither be checked nor deleted.
As suggested, introduce extensions/iptables.t to hold checks for
built-in selectors. This file is picked up by iptables-test.py as-is.
The only limitation is that iptables is being used for it, so no
ip6tables-specific things can be tested with it (for now).
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | extensions/iptables.t | 4 | ||||
-rw-r--r-- | iptables/nft-shared.c | 2 |
2 files changed, 5 insertions, 1 deletions
diff --git a/extensions/iptables.t b/extensions/iptables.t new file mode 100644 index 00000000..65456ee9 --- /dev/null +++ b/extensions/iptables.t @@ -0,0 +1,4 @@ +:FORWARD +-i alongifacename0;=;OK +-i thisinterfaceistoolong0;;FAIL +-i eth+ -o alongifacename+;=;OK diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 492e4ec1..7b8ca5e4 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -249,7 +249,7 @@ static void parse_ifname(const char *name, unsigned int len, char *dst, unsigned return; dst[len++] = 0; if (mask) - memset(mask, 0xff, len + 1); + memset(mask, 0xff, len - 2); } int parse_meta(struct nftnl_expr *e, uint8_t key, char *iniface, |