diff options
author | Phil Sutter <phil@nwl.cc> | 2019-02-04 21:52:53 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2019-02-05 16:09:41 +0100 |
commit | 148131f20421046fea028e638581e938ec985783 (patch) | |
tree | 728ddd7426c7d2477c0a92e130b92cbb5259f066 /iptables/nft-bridge.h | |
parent | a880cc28358a32f96467e248266973b6ab83f080 (diff) |
xtables: Fix for false-positive rule matching
When comparing two rules with non-standard targets, differences in
targets' payloads wasn't respected.
The cause is a rather hideous one: Unlike xtables_find_match(),
xtables_find_target() did not care whether the found target was already
in use or not, so the same target instance was assigned to both rules
and therefore payload comparison happened over the same memory location.
With legacy iptables it is not possible to reuse a target: The only case
where two rules (i.e., iptables_command_state instances) could exist at
the same time is when comparing rules, but that's handled using libiptc.
The above change clashes with ebtables-nft's reuse of target objects:
While input parsing still just assigns the object from xtables_targets
list, rule conversion from nftnl to iptables_command_state allocates new
data. To fix this, make ebtables-nft input parsing use the common
command_jump() routine instead of its own simplified copy. In turn, this
also eliminates the ebtables-nft-specific variants of parse_target(),
though with a slight change of behaviour: Names of user-defined chains
are no longer allowed to contain up to 31 but merely 28 characters.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'iptables/nft-bridge.h')
-rw-r--r-- | iptables/nft-bridge.h | 2 |
1 files changed, 0 insertions, 2 deletions
diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h index de52cd71..d90066f1 100644 --- a/iptables/nft-bridge.h +++ b/iptables/nft-bridge.h @@ -32,7 +32,6 @@ int ebt_get_mac_and_mask(const char *from, unsigned char *to, unsigned char *mas */ #define EBT_TABLE_MAXNAMELEN 32 -#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN #define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN /* verdicts >0 are "branches" */ @@ -122,6 +121,5 @@ void ebt_add_match(struct xtables_match *m, void ebt_add_watcher(struct xtables_target *watcher, struct iptables_command_state *cs); int ebt_command_default(struct iptables_command_state *cs); -struct xtables_target *ebt_command_jump(const char *jumpto); #endif |