diff options
-rw-r--r-- | iptables/nft-bridge.c | 35 | ||||
-rw-r--r-- | iptables/xtables-eb.c | 55 |
2 files changed, 48 insertions, 42 deletions
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index c8605dc9..386da869 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -25,16 +25,45 @@ void ebt_cs_clean(struct iptables_command_state *cs) { struct ebt_match *m, *nm; + struct xtables_rule_match *matchp, *tmp; - xtables_rule_matches_free(&cs->matches); + for (matchp = cs->matches; matchp;) { + tmp = matchp->next; + + if (matchp->match == matchp->match->next) { + free(matchp->match); + matchp->match = NULL; + } + free(matchp); + matchp = tmp; + } for (m = cs->match_list; m;) { + if (m->ismatch) { + struct xtables_match *match = m->u.match; + + memset(match->m->data, 0, + match->m->u.match_size - sizeof(*match->m)); + if (match->init) + match->init(match->m); + } else { + struct xtables_target *target = m->u.watcher; + + memset(target->t->data, 0, + target->t->u.target_size - sizeof(*target->t)); + if (target->init) + target->init(target->t); + } + nm = m->next; - if (!m->ismatch) - free(m->u.watcher->t); free(m); m = nm; } + + if (cs->target) { + if (cs->target->udata_size) + free(cs->target->udata); + } } /* 0: default, print only 2 digits if necessary diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index c5c98c33..ac3ecb8e 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -380,33 +380,22 @@ static struct option *merge_options(struct option *oldopts, /* * More glue code. */ -static struct xtables_target *command_jump(struct iptables_command_state *cs, - const char *jumpto) +static struct xtables_target *command_jump(const char *jumpto) { struct xtables_target *target; - size_t size; - - /* XTF_TRY_LOAD (may be chain name) */ - target = xtables_find_target(jumpto, XTF_TRY_LOAD); - - if (!target) - return NULL; - - size = XT_ALIGN(sizeof(struct xt_entry_target)) - + target->size; - - target->t = xtables_calloc(1, size); - target->t->u.target_size = size; - snprintf(target->t->u.user.name, - sizeof(target->t->u.user.name), "%s", jumpto); - target->t->u.user.name[sizeof(target->t->u.user.name)-1] = '\0'; - target->t->u.user.revision = target->revision; + unsigned int verdict; - xs_init_target(target); + /* Standard target? */ + if (!ebt_fill_target(jumpto, &verdict)) + jumpto = "standard"; - opts = merge_options(opts, target->extra_opts, &target->option_offset); - if (opts == NULL) - xtables_error(OTHER_PROBLEM, "Can't alloc memory"); + /* For ebtables, all targets are preloaded. Hence it is either in + * xtables_targets or a custom chain to jump to, in which case + * returning NULL is fine. */ + for (target = xtables_targets; target; target = target->next) { + if (!strcmp(target->name, jumpto)) + break; + } return target; } @@ -668,6 +657,7 @@ void ebt_load_match_extensions(void) ebt_load_target("dnat"); ebt_load_target("snat"); ebt_load_target("redirect"); + ebt_load_target("standard"); } void ebt_add_match(struct xtables_match *m, @@ -787,20 +777,6 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, struct xtables_rule_match *xtrm_i; struct ebt_match *match; - if (nft_init(h, xtables_bridge) < 0) - xtables_error(OTHER_PROBLEM, - "Could not initialize nftables layer."); - - h->ops = nft_family_ops_lookup(h->family); - if (h->ops == NULL) - xtables_error(PARAMETER_PROBLEM, "Unknown family"); - - /* manually registering ebt matches, given the original ebtables parser - * don't use '-m matchname' and the match can't loaded dinamically when - * the user calls it. - */ - ebt_load_match_extensions(); - /* clear mflags in case do_commandeb gets called a second time * (we clear the global list of all matches for security)*/ for (m = xtables_matches; m; m = m->next) @@ -1047,7 +1023,7 @@ print_zero: } else if (c == 'j') { ebt_check_option2(&flags, OPT_JUMP); cs.jumpto = parse_target(optarg); - cs.target = command_jump(&cs, cs.jumpto); + cs.target = command_jump(cs.jumpto); break; } else if (c == 's') { ebt_check_option2(&flags, OPT_SOURCE); @@ -1231,7 +1207,8 @@ print_zero: /* Is it a watcher option? */ for (w = xtables_targets; w; w = w->next) { - if (w->parse(c - w->option_offset, argv, + if (w->parse && + w->parse(c - w->option_offset, argv, ebt_invert, &w->tflags, NULL, &w->t)) { ebt_add_watcher(w, &cs); |