diff options
| author | Phil Sutter <phil@nwl.cc> | 2018-11-27 20:07:11 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-11-27 20:46:26 +0100 |
| commit | ccf154d7420c07b6e6febc1c3b8b31d2bd1adbe6 (patch) | |
| tree | f197af81ce1b071b2a34e8f563a02aec3f6daa00 | |
| parent | 2ed6c85f8743a83d2b302bf6bd8d16b5efa3bb14 (diff) | |
xtables: Don't use native nftables comments
The problem with converting libxt_comment into nftables comment is that
rules change when parsing from kernel due to comment match being moved
to the end of the match list. And since match ordering matters, the rule
may not be found anymore when checking or deleting. Apart from that,
iptables-nft didn't support multiple comments per rule anymore. This is
a compatibility issue without technical reason.
Leave conversion from nftables comment to libxt_comment in place so we
don't break running systems during an update.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | extensions/libxt_comment.t | 2 | ||||
| -rw-r--r-- | iptables/nft-ipv4.c | 14 | ||||
| -rw-r--r-- | iptables/nft-ipv6.c | 14 | ||||
| -rw-r--r-- | iptables/nft.c | 27 | ||||
| -rw-r--r-- | iptables/nft.h | 1 |
5 files changed, 8 insertions, 50 deletions
diff --git a/extensions/libxt_comment.t b/extensions/libxt_comment.t index f12cd668..f0c8fb99 100644 --- a/extensions/libxt_comment.t +++ b/extensions/libxt_comment.t @@ -1,6 +1,8 @@ :INPUT,FORWARD,OUTPUT -m comment;;FAIL -m comment --comment;;FAIL +-p tcp -m tcp --dport 22 -m comment --comment foo;=;OK +-p tcp -m comment --comment foo -m tcp --dport 22;=;OK # # it fails with 256 characters # diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index ffb439b4..4497eb9b 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -77,17 +77,9 @@ static int nft_ipv4_add(struct nftnl_rule *r, void *data) add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags & XT_INV_PROTO); for (matchp = cs->matches; matchp; matchp = matchp->next) { - /* Use nft built-in comments support instead of comment match */ - if (strcmp(matchp->match->name, "comment") == 0) { - ret = add_comment(r, (char *)matchp->match->m->data); - if (ret < 0) - goto try_match; - } else { -try_match: - ret = add_match(r, matchp->match->m); - if (ret < 0) - return ret; - } + ret = add_match(r, matchp->match->m); + if (ret < 0) + return ret; } /* Counters need to me added before the target, otherwise they are diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 7bacee4a..cacb1c9e 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -66,17 +66,9 @@ static int nft_ipv6_add(struct nftnl_rule *r, void *data) add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags & XT_INV_PROTO); for (matchp = cs->matches; matchp; matchp = matchp->next) { - /* Use nft built-in comments support instead of comment match */ - if (strcmp(matchp->match->name, "comment") == 0) { - ret = add_comment(r, (char *)matchp->match->m->data); - if (ret < 0) - goto try_match; - } else { -try_match: - ret = add_match(r, matchp->match->m); - if (ret < 0) - return ret; - } + ret = add_match(r, matchp->match->m); + if (ret < 0) + return ret; } /* Counters need to me added before the target, otherwise they are diff --git a/iptables/nft.c b/iptables/nft.c index 0223c0ed..7b6fb2b1 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1129,33 +1129,6 @@ enum udata_type { }; #define UDATA_TYPE_MAX (__UDATA_TYPE_MAX - 1) -int add_comment(struct nftnl_rule *r, const char *comment) -{ - struct nftnl_udata_buf *udata; - uint32_t len; - - if (nftnl_rule_get_data(r, NFTNL_RULE_USERDATA, &len)) - return -EALREADY; - - udata = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN); - if (!udata) - return -ENOMEM; - - if (strnlen(comment, 255) == 255) - return -ENOSPC; - - if (!nftnl_udata_put_strz(udata, UDATA_TYPE_COMMENT, comment)) - return -ENOMEM; - - nftnl_rule_set_data(r, NFTNL_RULE_USERDATA, - nftnl_udata_buf_data(udata), - nftnl_udata_buf_len(udata)); - - nftnl_udata_buf_free(udata); - - return 0; -} - static int parse_udata_cb(const struct nftnl_udata *attr, void *data) { unsigned char *value = nftnl_udata_get(attr); diff --git a/iptables/nft.h b/iptables/nft.h index 71119994..bf60ab39 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -121,7 +121,6 @@ int add_match(struct nftnl_rule *r, struct xt_entry_match *m); int add_target(struct nftnl_rule *r, struct xt_entry_target *t); int add_jumpto(struct nftnl_rule *r, const char *name, int verdict); int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set); -int add_comment(struct nftnl_rule *r, const char *comment); char *get_comment(const void *data, uint32_t data_len); enum nft_rule_print { |