From fd95f1f0223f8e2ecf91aa8d1a4ba84576861082 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Fri, 2 Nov 2018 14:36:54 +0100 Subject: ebtables: fix -j CONTINUE handling for add/delete -j CONTINUE can be added, but it can't be removed: extensions/libebt_standard.t: ERROR: line 5 (cannot find: ebtables -I INPUT -d de:ad:be:ef:00:00 -j CONTINUE) This problem stems from silly ambiguity in ebtables-nft vs. iptables. In iptables, you can do iptables -A INPUT (no -j) in ebtables, you can do either ebtables -A INPUT or ebtables -A INPUT -j CONTINUE both are *supposed* to be the same (and they do the same even in ebtables-nft on netlink side). However, the temprary binary representation within ebtables-nft is not the same: when parsing -j CONTINUE, we add a standard target, then omit it later in _add_target(). When translating netlink representation to ebt binary one, we do not add a standard target and instead just print '-j CONTINUE' when listing rules. So when doing -I INPUT -j CONTINUE -D INPUT -j CONTINUE the -D operation fails because it has a standard target in the binary representation, whereas the rule we obtained from translating nftables netlink back to ebtables' binary represenation doesn't. Fix it by ignoring 'CONTINUE' on parser side. Signed-off-by: Florian Westphal --- extensions/libebt_standard.t | 1 + iptables/nft-bridge.c | 26 +------------------------- iptables/xtables-eb.c | 7 +++++-- 3 files changed, 7 insertions(+), 27 deletions(-) diff --git a/extensions/libebt_standard.t b/extensions/libebt_standard.t index 59ca337a..04991e1f 100644 --- a/extensions/libebt_standard.t +++ b/extensions/libebt_standard.t @@ -2,5 +2,6 @@ -s 0:0:0:0:0:0;=;OK -d 00:00:0:00:00:00;-d 0:0:0:0:0:0;OK -s de:ad:be:ef:0:00 -j RETURN;-s de:ad:be:ef:0:0 -j RETURN;OK +-d de:ad:be:ef:00:00 -j CONTINUE;=;OK -d de:ad:be:ef:0:0;=;OK -d de:ad:be:ef:00:00/ff:ff:ff:ff:00:00 -j DROP;-d de:ad:be:ef:0:0/ff:ff:ff:ff:0:0 -j DROP;OK diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index 35c862cf..a616f845 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -120,33 +120,9 @@ static void add_logical_outiface(struct nftnl_rule *r, char *iface, uint32_t op) add_cmp_ptr(r, op, iface, iface_len + 1); } -/* TODO: Use generic add_action() once we convert this to use - * iptables_command_state. - */ static int _add_action(struct nftnl_rule *r, struct iptables_command_state *cs) { - int ret = 0; - - if (cs->jumpto == NULL || strcmp(cs->jumpto, "CONTINUE") == 0) - return 0; - - /* If no target at all, add nothing (default to continue) */ - if (cs->target != NULL) { - /* Standard target? */ - if (strcmp(cs->jumpto, XTC_LABEL_ACCEPT) == 0) - ret = add_verdict(r, NF_ACCEPT); - else if (strcmp(cs->jumpto, XTC_LABEL_DROP) == 0) - ret = add_verdict(r, NF_DROP); - else if (strcmp(cs->jumpto, XTC_LABEL_RETURN) == 0) - ret = add_verdict(r, NFT_RETURN); - else - ret = add_target(r, cs->target->t); - } else if (strlen(cs->jumpto) > 0) { - /* Not standard, then it's a jump to chain */ - ret = add_jumpto(r, cs->jumpto, NFT_JUMP); - } - - return ret; + return add_action(r, cs, false); } static int nft_bridge_add(struct nftnl_rule *r, void *data) diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index 64f332c1..721bab57 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -824,6 +824,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table, struct xtables_target *t; struct iptables_command_state cs = { .argv = argv, + .jumpto = "", .eb.bitmask = EBT_NOPROTO, }; char command = 'h'; @@ -1066,8 +1067,10 @@ print_zero: break; } else if (c == 'j') { ebt_check_option2(&flags, OPT_JUMP); - cs.jumpto = parse_target(optarg); - cs.target = ebt_command_jump(cs.jumpto); + if (strcmp(optarg, "CONTINUE") != 0) { + cs.jumpto = parse_target(optarg); + cs.target = ebt_command_jump(cs.jumpto); + } break; } else if (c == 's') { ebt_check_option2(&flags, OPT_SOURCE); -- cgit v1.2.3