diff options
| author | Phil Sutter <phil@nwl.cc> | 2022-10-11 18:46:55 +0200 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2022-11-18 15:50:24 +0100 |
| commit | c327e9331e50d7b4d6cfd0a82fb38bec73703bfb (patch) | |
| tree | dcfac81d4ae15a21ddacbc1edc7a9d4530b86d46 | |
| parent | 4521732ebbf34573062d2cad2f74b98910ea1c5b (diff) | |
Warn for tables with compat expressions in rules
While being able to "look inside" compat expressions using nft is a nice
feature, it is also (yet another) pitfall for unaware users, deceiving
them into assuming interchangeability (or at least compatibility)
between iptables-nft and nft.
In reality, which involves 'nft list ruleset | nft -f -', any correctly
translated compat expressions will turn into native nftables ones not
understood by (the version of) iptables-nft which created them in the
first place. Other compat expressions will vanish, potentially
compromising the firewall ruleset.
Emit a warning (as comment) to give users a chance to stop and
reconsider before shooting their own foot.
Signed-off-by: Phil Sutter <phil@nwl.cc>
| -rw-r--r-- | include/rule.h | 1 | ||||
| -rw-r--r-- | src/rule.c | 16 | ||||
| -rw-r--r-- | src/xt.c | 2 |
3 files changed, 16 insertions, 3 deletions
diff --git a/include/rule.h b/include/rule.h index ad9f9127..00a1bac5 100644 --- a/include/rule.h +++ b/include/rule.h @@ -169,6 +169,7 @@ struct table { unsigned int refcnt; uint32_t owner; const char *comment; + bool has_xt_stmts; }; extern struct table *table_alloc(void); @@ -1233,6 +1233,11 @@ static void table_print(const struct table *table, struct output_ctx *octx) const char *delim = ""; const char *family = family2str(table->handle.family); + if (table->has_xt_stmts) + fprintf(octx->error_fp, + "# Warning: table %s %s is managed by iptables-nft, do not touch!\n", + family, table->handle.table.name); + nft_print(octx, "table %s %s {", family, table->handle.table.name); if (nft_output_handle(octx) || table->flags & TABLE_F_OWNER) nft_print(octx, " #"); @@ -2387,9 +2392,14 @@ static int do_list_tables(struct netlink_ctx *ctx, struct cmd *cmd) static void table_print_declaration(struct table *table, struct output_ctx *octx) { - nft_print(octx, "table %s %s {\n", - family2str(table->handle.family), - table->handle.table.name); + const char *family = family2str(table->handle.family); + + if (table->has_xt_stmts) + fprintf(octx->error_fp, + "# Warning: table %s %s is managed by iptables-nft, do not touch!\n", + family, table->handle.table.name); + + nft_print(octx, "table %s %s {\n", family, table->handle.table.name); } static int do_list_chain(struct netlink_ctx *ctx, struct cmd *cmd, @@ -238,6 +238,7 @@ void netlink_parse_match(struct netlink_parse_ctx *ctx, stmt->xt.name = strdup(name); stmt->xt.type = NFT_XT_MATCH; #endif + ctx->table->has_xt_stmts = true; rule_stmt_append(ctx->rule, stmt); } @@ -283,6 +284,7 @@ void netlink_parse_target(struct netlink_parse_ctx *ctx, stmt->xt.name = strdup(name); stmt->xt.type = NFT_XT_TARGET; #endif + ctx->table->has_xt_stmts = true; rule_stmt_append(ctx->rule, stmt); } |