From 63ab4fe3a1919b668953542841f4397544c4bb15 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Wed, 15 Sep 2021 17:37:51 +0200 Subject: ebtables: Avoid dropping policy when flushing Unlike nftables, ebtables' user-defined chains have policies - ebtables-nft implements those internally as invisible last rule. In order to recreate them after a flush command, a rule cache is needed. https://bugzilla.netfilter.org/show_bug.cgi?id=1558 --- iptables/nft-cmd.c | 4 ++- .../shell/testcases/ebtables/0007-chain-policies_0 | 41 ++++++++++++++++++++++ 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100755 iptables/tests/shell/testcases/ebtables/0007-chain-policies_0 diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c index 35b39268..2d874bd4 100644 --- a/iptables/nft-cmd.c +++ b/iptables/nft-cmd.c @@ -167,7 +167,9 @@ int nft_cmd_rule_flush(struct nft_handle *h, const char *chain, if (!cmd) return 0; - if (chain || verbose) + if (h->family == NFPROTO_BRIDGE) + nft_cache_level_set(h, NFT_CL_RULES, cmd); + else if (chain || verbose) nft_cache_level_set(h, NFT_CL_CHAINS, cmd); else nft_cache_level_set(h, NFT_CL_TABLES, cmd); diff --git a/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0 b/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0 new file mode 100755 index 00000000..faf37d02 --- /dev/null +++ b/iptables/tests/shell/testcases/ebtables/0007-chain-policies_0 @@ -0,0 +1,41 @@ +#!/bin/sh + +case "$XT_MULTI" in +*xtables-nft-multi) + ;; +*) + echo "skip $XT_MULTI" + exit 0 + ;; +esac + +set -e + +# ebtables supports policies in user-defined chains %) +# and the default policy is ACCEPT ... +$XT_MULTI ebtables -N FOO -P DROP +$XT_MULTI ebtables -N BAR +$XT_MULTI ebtables -P BAR RETURN +$XT_MULTI ebtables -N BAZ + +EXPECT_BASE="*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT" + +EXPECT="$EXPECT_BASE +:BAR RETURN +:BAZ ACCEPT +:FOO DROP" + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ebtables-save | grep -v '^#') + +# rule commands must not break the policies +$XT_MULTI ebtables -A FOO -j ACCEPT +$XT_MULTI ebtables -D FOO -j ACCEPT +$XT_MULTI ebtables -F +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ebtables-save | grep -v '^#') + +# dropping the chains must implicitly remove the policy rule as well +$XT_MULTI ebtables -X +diff -u -Z <(echo -e "$EXPECT_BASE") <($XT_MULTI ebtables-save | grep -v '^#') -- cgit v1.2.3