diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-02-06 15:28:41 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-02-07 11:38:49 +0100 |
commit | 27c753e4a8d4744f479345e3f5e34cafef751602 (patch) | |
tree | 13ac057d25e560e8b6220917290a9a39aea3594b /src/rule.c | |
parent | 784597a4ed63b9decb10d74fdb49a1b021e22728 (diff) |
rule: expand standalone chain that contains rules
Otherwise rules that this chain contains are ignored when expressed
using the following syntax:
chain inet filter input2 {
type filter hook input priority filter; policy accept;
ip saddr 1.2.3.4 tcp dport { 22, 443, 123 } drop
}
When expanding the chain, remove the rule so the new CMD_OBJ_CHAIN
case does not expand it again.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1655
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/rule.c')
-rw-r--r-- | src/rule.c | 15 |
1 files changed, 12 insertions, 3 deletions
@@ -1312,11 +1312,12 @@ void cmd_add_loc(struct cmd *cmd, uint16_t offset, const struct location *loc) static void nft_cmd_expand_chain(struct chain *chain, struct list_head *new_cmds) { - struct rule *rule; + struct rule *rule, *next; struct handle h; struct cmd *new; - list_for_each_entry(rule, &chain->rules, list) { + list_for_each_entry_safe(rule, next, &chain->rules, list) { + list_del(&rule->list); memset(&h, 0, sizeof(h)); handle_merge(&h, &rule->handle); if (chain->flags & CHAIN_F_BINDING) { @@ -1324,7 +1325,7 @@ static void nft_cmd_expand_chain(struct chain *chain, struct list_head *new_cmds rule->handle.chain.location = chain->location; } new = cmd_alloc(CMD_ADD, CMD_OBJ_RULE, &h, - &rule->location, rule_get(rule)); + &rule->location, rule); list_add_tail(&new->list, new_cmds); } } @@ -1385,6 +1386,14 @@ void nft_cmd_expand(struct cmd *cmd) list_splice(&new_cmds, &cmd->list); break; + case CMD_OBJ_CHAIN: + chain = cmd->chain; + if (!chain || list_empty(&chain->rules)) + break; + + nft_cmd_expand_chain(chain, &new_cmds); + list_splice(&new_cmds, &cmd->list); + break; case CMD_OBJ_SET: case CMD_OBJ_MAP: set = cmd->set; |