diff options
author | Jan Engelhardt <jengelh@inai.de> | 2012-10-07 14:32:36 +0000 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-10-08 09:53:20 +0200 |
commit | dd43527cb6bdf3d469100850ca10dcd2fb761304 (patch) | |
tree | 058cdc61c36f467105b432dc67e786a1c96b22fb /iptables | |
parent | 4bdc1edf49dedd20519f2eaea95466400f627dd5 (diff) |
iptables: restore NOTRACK functionality, target aliasing
Commit v1.4.16-1-g2aaa7ec is testing for real_name (not) being NULL
which was always false (true). real_name was never NULL, so cs->jumpto
would always be used, which rendered -j NOTRACK unusable, since the
chosen real name.revision is for example NOTRACK.1, which does not exist
at the kernel side.
# ./iptables/xtables-multi main4 -t raw -A foo -j NOTRACK
dbg: Using NOTRACK.1
WARNING: The NOTRACK target is obsolete. Use CT instead.
iptables: Protocol wrong type for socket.
To reasonably support the extra-special verdict names, make it so that
real_name remains NULL when an extension defined no alias, which we can
then use to determine whether the user entered an alias name (which
needs to be followed) or not.
[ I have mangled this patch to remove a comment unnecessarily large.
BTW, this patch gets this very close to the initial target aliasing
proposal --pablo ]
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables')
-rw-r--r-- | iptables/ip6tables.c | 17 | ||||
-rw-r--r-- | iptables/iptables.c | 19 |
2 files changed, 21 insertions, 15 deletions
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c index faddb71b..0e11a9e1 100644 --- a/iptables/ip6tables.c +++ b/iptables/ip6tables.c @@ -1286,15 +1286,15 @@ static void command_jump(struct iptables_command_state *cs) cs->target->t = xtables_calloc(1, size); cs->target->t->u.target_size = size; - if (cs->target->real_name != NULL) + if (cs->target->real_name == NULL) { strcpy(cs->target->t->u.user.name, cs->jumpto); - else + } else { strcpy(cs->target->t->u.user.name, cs->target->real_name); - cs->target->t->u.user.revision = cs->target->revision; - if (cs->target->real_name != cs->target->name) fprintf(stderr, "WARNING: The %s target is obsolete. " "Use %s instead.\n", cs->jumpto, cs->target->real_name); + } + cs->target->t->u.user.revision = cs->target->revision; xs_init_target(cs->target); if (cs->target->x6_options != NULL) @@ -1322,11 +1322,14 @@ static void command_match(struct iptables_command_state *cs) size = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size; m->m = xtables_calloc(1, size); m->m->u.match_size = size; - strcpy(m->m->u.user.name, m->real_name); - m->m->u.user.revision = m->revision; - if (m->real_name != m->name) + if (m->real_name == NULL) { + strcpy(m->m->u.user.name, m->name); + } else { + strcpy(m->m->u.user.name, m->real_name); fprintf(stderr, "WARNING: The %s match is obsolete. " "Use %s instead.\n", m->name, m->real_name); + } + m->m->u.user.revision = m->revision; xs_init_match(m); if (m == m->next) diff --git a/iptables/iptables.c b/iptables/iptables.c index 96cea64d..f765cf98 100644 --- a/iptables/iptables.c +++ b/iptables/iptables.c @@ -1295,16 +1295,16 @@ static void command_jump(struct iptables_command_state *cs) cs->target->t = xtables_calloc(1, size); cs->target->t->u.target_size = size; - if (cs->target->real_name != NULL) + if (cs->target->real_name == NULL) { strcpy(cs->target->t->u.user.name, cs->jumpto); - else - strcpy(cs->target->t->u.user.name, cs->target->real_name); - cs->target->t->u.user.revision = cs->target->revision; - if (cs->target->real_name != cs->target->name) + } else { /* Alias support for userspace side */ + strcpy(cs->target->t->u.user.name, cs->target->real_name); fprintf(stderr, "WARNING: The %s target is obsolete. " "Use %s instead.\n", cs->jumpto, cs->target->real_name); + } + cs->target->t->u.user.revision = cs->target->revision; xs_init_target(cs->target); @@ -1333,11 +1333,14 @@ static void command_match(struct iptables_command_state *cs) size = XT_ALIGN(sizeof(struct xt_entry_match)) + m->size; m->m = xtables_calloc(1, size); m->m->u.match_size = size; - strcpy(m->m->u.user.name, m->real_name); - m->m->u.user.revision = m->revision; - if (m->real_name != m->name) + if (m->real_name == NULL) { + strcpy(m->m->u.user.name, m->name); + } else { + strcpy(m->m->u.user.name, m->real_name); fprintf(stderr, "WARNING: The %s match is obsolete. " "Use %s instead.\n", m->name, m->real_name); + } + m->m->u.user.revision = m->revision; xs_init_match(m); if (m == m->next) |