diff options
author | Florian Westphal <fw@strlen.de> | 2018-11-02 14:36:54 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2018-11-03 20:35:22 +0100 |
commit | fd95f1f0223f8e2ecf91aa8d1a4ba84576861082 (patch) | |
tree | 3f3d5eccdd114000afa0a81de80dd2a492286cda /iptables/nft-bridge.c | |
parent | fb747f8ae01bdcbb197f5f9fc1085416ad636d38 (diff) |
ebtables: fix -j CONTINUE handling for add/delete
-j CONTINUE can be added, but it can't be removed:
extensions/libebt_standard.t: ERROR: line 5 (cannot find: ebtables -I INPUT -d de:ad:be:ef:00:00 -j CONTINUE)
This problem stems from silly ambiguity in ebtables-nft vs. iptables.
In iptables, you can do
iptables -A INPUT
(no -j)
in ebtables, you can do either
ebtables -A INPUT
or
ebtables -A INPUT -j CONTINUE
both are *supposed* to be the same (and they do the same even
in ebtables-nft on netlink side).
However, the temprary binary representation within ebtables-nft is not
the same: when parsing -j CONTINUE, we add a standard target, then omit
it later in _add_target().
When translating netlink representation to ebt binary one,
we do not add a standard target and instead just print '-j CONTINUE'
when listing rules.
So when doing
-I INPUT -j CONTINUE
-D INPUT -j CONTINUE
the -D operation fails because it has a standard target in the binary
representation, whereas the rule we obtained from translating
nftables netlink back to ebtables' binary represenation doesn't.
Fix it by ignoring 'CONTINUE' on parser side.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'iptables/nft-bridge.c')
-rw-r--r-- | iptables/nft-bridge.c | 26 |
1 files changed, 1 insertions, 25 deletions
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index 35c862cf..a616f845 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -120,33 +120,9 @@ static void add_logical_outiface(struct nftnl_rule *r, char *iface, uint32_t op) add_cmp_ptr(r, op, iface, iface_len + 1); } -/* TODO: Use generic add_action() once we convert this to use - * iptables_command_state. - */ static int _add_action(struct nftnl_rule *r, struct iptables_command_state *cs) { - int ret = 0; - - if (cs->jumpto == NULL || strcmp(cs->jumpto, "CONTINUE") == 0) - return 0; - - /* If no target at all, add nothing (default to continue) */ - if (cs->target != NULL) { - /* Standard target? */ - if (strcmp(cs->jumpto, XTC_LABEL_ACCEPT) == 0) - ret = add_verdict(r, NF_ACCEPT); - else if (strcmp(cs->jumpto, XTC_LABEL_DROP) == 0) - ret = add_verdict(r, NF_DROP); - else if (strcmp(cs->jumpto, XTC_LABEL_RETURN) == 0) - ret = add_verdict(r, NFT_RETURN); - else - ret = add_target(r, cs->target->t); - } else if (strlen(cs->jumpto) > 0) { - /* Not standard, then it's a jump to chain */ - ret = add_jumpto(r, cs->jumpto, NFT_JUMP); - } - - return ret; + return add_action(r, cs, false); } static int nft_bridge_add(struct nftnl_rule *r, void *data) |