laurenceman / rpms / iptables

Forked from rpms/iptables 5 years ago
Clone
Source Code
GIT

Blame SOURCES/0004-xtables-Don-t-use-native-nftables-comments.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c8 c8-beta
  1.   8cce6c9672133a1e2ba9db7ae9662403f524b418
  2.   SOURCES
  3.   0004-xtables-Don-t-use-native-nftables-comments.patch
Blob History Raw
8cce6c 
From 33ec7bf3be4992f7db8049f2459afbcf8df67221 Mon Sep 17 00:00:00 2001
8cce6c 
From: Phil Sutter <phil@nwl.cc>
8cce6c 
Date: Tue, 27 Nov 2018 20:07:11 +0100
8cce6c 
Subject: [PATCH] xtables: Don't use native nftables comments
8cce6c
8cce6c 
The problem with converting libxt_comment into nftables comment is that
8cce6c 
rules change when parsing from kernel due to comment match being moved
8cce6c 
to the end of the match list. And since match ordering matters, the rule
8cce6c 
may not be found anymore when checking or deleting. Apart from that,
8cce6c 
iptables-nft didn't support multiple comments per rule anymore. This is
8cce6c 
a compatibility issue without technical reason.
8cce6c
8cce6c 
Leave conversion from nftables comment to libxt_comment in place so we
8cce6c 
don't break running systems during an update.
8cce6c
8cce6c 
Signed-off-by: Phil Sutter <phil@nwl.cc>
8cce6c 
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
8cce6c 
(cherry picked from commit ccf154d7420c07b6e6febc1c3b8b31d2bd1adbe6)
8cce6c
8cce6c 
Conflicts:
8cce6c 
- Dropped changes to extensions/libxt_comment.t not present in release
8cce6c 
  tarball.
8cce6c
8cce6c 
Signed-off-by: Phil Sutter <psutter@redhat.com>
8cce6c 
---
8cce6c 
 iptables/nft-ipv4.c | 14 +++-----------
8cce6c 
 iptables/nft-ipv6.c | 14 +++-----------
8cce6c 
 iptables/nft.c      | 27 ---------------------------
8cce6c 
 iptables/nft.h      |  1 -
8cce6c 
 4 files changed, 6 insertions(+), 50 deletions(-)
8cce6c
8cce6c 
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
8cce6c 
index ffb439b4a1128..4497eb9b9347c 100644
8cce6c 
--- a/iptables/nft-ipv4.c
8cce6c 
+++ b/iptables/nft-ipv4.c
8cce6c 
@@ -77,17 +77,9 @@ static int nft_ipv4_add(struct nftnl_rule *r, void *data)
8cce6c 
 	add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags & XT_INV_PROTO);
8cce6c
8cce6c 
 	for (matchp = cs->matches; matchp; matchp = matchp->next) {
8cce6c 
-		/* Use nft built-in comments support instead of comment match */
8cce6c 
-		if (strcmp(matchp->match->name, "comment") == 0) {
8cce6c 
-			ret = add_comment(r, (char *)matchp->match->m->data);
8cce6c 
-			if (ret < 0)
8cce6c 
-				goto try_match;
8cce6c 
-		} else {
8cce6c 
-try_match:
8cce6c 
-			ret = add_match(r, matchp->match->m);
8cce6c 
-			if (ret < 0)
8cce6c 
-				return ret;
8cce6c 
-		}
8cce6c 
+		ret = add_match(r, matchp->match->m);
8cce6c 
+		if (ret < 0)
8cce6c 
+			return ret;
8cce6c 
 	}
8cce6c
8cce6c 
 	/* Counters need to me added before the target, otherwise they are
8cce6c 
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
8cce6c 
index 7bacee4ab3a21..cacb1c9e141f2 100644
8cce6c 
--- a/iptables/nft-ipv6.c
8cce6c 
+++ b/iptables/nft-ipv6.c
8cce6c 
@@ -66,17 +66,9 @@ static int nft_ipv6_add(struct nftnl_rule *r, void *data)
8cce6c 
 	add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags & XT_INV_PROTO);
8cce6c
8cce6c 
 	for (matchp = cs->matches; matchp; matchp = matchp->next) {
8cce6c 
-		/* Use nft built-in comments support instead of comment match */
8cce6c 
-		if (strcmp(matchp->match->name, "comment") == 0) {
8cce6c 
-			ret = add_comment(r, (char *)matchp->match->m->data);
8cce6c 
-			if (ret < 0)
8cce6c 
-				goto try_match;
8cce6c 
-		} else {
8cce6c 
-try_match:
8cce6c 
-			ret = add_match(r, matchp->match->m);
8cce6c 
-			if (ret < 0)
8cce6c 
-				return ret;
8cce6c 
-		}
8cce6c 
+		ret = add_match(r, matchp->match->m);
8cce6c 
+		if (ret < 0)
8cce6c 
+			return ret;
8cce6c 
 	}
8cce6c
8cce6c 
 	/* Counters need to me added before the target, otherwise they are
8cce6c 
diff --git a/iptables/nft.c b/iptables/nft.c
8cce6c 
index e8538d38e0109..6863d851e44c2 100644
8cce6c 
--- a/iptables/nft.c
8cce6c 
+++ b/iptables/nft.c
8cce6c 
@@ -1107,33 +1107,6 @@ enum udata_type {
8cce6c 
 };
8cce6c 
 #define UDATA_TYPE_MAX (__UDATA_TYPE_MAX - 1)
8cce6c
8cce6c 
-int add_comment(struct nftnl_rule *r, const char *comment)
8cce6c 
-{
8cce6c 
-	struct nftnl_udata_buf *udata;
8cce6c 
-	uint32_t len;
8cce6c 
-
8cce6c 
-	if (nftnl_rule_get_data(r, NFTNL_RULE_USERDATA, &len))
8cce6c 
-		return -EALREADY;
8cce6c 
-
8cce6c 
-	udata = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN);
8cce6c 
-	if (!udata)
8cce6c 
-		return -ENOMEM;
8cce6c 
-
8cce6c 
-	if (strnlen(comment, 255) == 255)
8cce6c 
-		return -ENOSPC;
8cce6c 
-
8cce6c 
-	if (!nftnl_udata_put_strz(udata, UDATA_TYPE_COMMENT, comment))
8cce6c 
-		return -ENOMEM;
8cce6c 
-
8cce6c 
-	nftnl_rule_set_data(r, NFTNL_RULE_USERDATA,
8cce6c 
-			    nftnl_udata_buf_data(udata),
8cce6c 
-			    nftnl_udata_buf_len(udata));
8cce6c 
-
8cce6c 
-	nftnl_udata_buf_free(udata);
8cce6c 
-
8cce6c 
-	return 0;
8cce6c 
-}
8cce6c 
-
8cce6c 
 static int parse_udata_cb(const struct nftnl_udata *attr, void *data)
8cce6c 
 {
8cce6c 
 	unsigned char *value = nftnl_udata_get(attr);
8cce6c 
diff --git a/iptables/nft.h b/iptables/nft.h
8cce6c 
index 9b4ba5f9a63eb..052105fc6f3cd 100644
8cce6c 
--- a/iptables/nft.h
8cce6c 
+++ b/iptables/nft.h
8cce6c 
@@ -116,7 +116,6 @@ int add_match(struct nftnl_rule *r, struct xt_entry_match *m);
8cce6c 
 int add_target(struct nftnl_rule *r, struct xt_entry_target *t);
8cce6c 
 int add_jumpto(struct nftnl_rule *r, const char *name, int verdict);
8cce6c 
 int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set);
8cce6c 
-int add_comment(struct nftnl_rule *r, const char *comment);
8cce6c 
 char *get_comment(const void *data, uint32_t data_len);
8cce6c
8cce6c 
 enum nft_rule_print {
8cce6c 
--
8cce6c 
2.20.1
8cce6c

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation