|
 |
029dc7 |
From 892eaf39a4bd14ad25e55e5c0d4ef3dc163183da Mon Sep 17 00:00:00 2001
|
|
|
029dc7 |
From: Phil Sutter <phil@nwl.cc>
|
|
|
029dc7 |
Date: Tue, 15 Jan 2019 23:23:04 +0100
|
|
|
029dc7 |
Subject: [PATCH] xtables: Fix position of replaced rules in cache
|
|
|
029dc7 |
|
|
|
029dc7 |
When replacing a rule, the replacement was simply appended to the
|
|
|
029dc7 |
chain's rule list. Instead, insert it where the rule it replaces was.
|
|
|
029dc7 |
|
|
|
029dc7 |
This also fixes for zero counters command to remove the old rule from
|
|
|
029dc7 |
cache.
|
|
|
029dc7 |
|
|
|
029dc7 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
029dc7 |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
029dc7 |
(cherry picked from commit 5ca9acf51adf9dcc8e0d82cd8f5b9b2514f900ee)
|
|
|
029dc7 |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
029dc7 |
---
|
|
|
029dc7 |
iptables/nft.c | 34 +++++++++++++++++-----------------
|
|
|
029dc7 |
iptables/nft.h | 2 +-
|
|
|
029dc7 |
iptables/xtables-arp.c | 2 +-
|
|
|
029dc7 |
iptables/xtables-eb.c | 2 +-
|
|
|
029dc7 |
iptables/xtables.c | 4 ++--
|
|
|
029dc7 |
5 files changed, 22 insertions(+), 22 deletions(-)
|
|
|
029dc7 |
|
|
|
029dc7 |
diff --git a/iptables/nft.c b/iptables/nft.c
|
|
|
029dc7 |
index c2af1a6fd0985..76764fde4e9fb 100644
|
|
|
029dc7 |
--- a/iptables/nft.c
|
|
|
029dc7 |
+++ b/iptables/nft.c
|
|
|
029dc7 |
@@ -1186,7 +1186,7 @@ nft_chain_find(struct nft_handle *h, const char *table, const char *chain);
|
|
|
029dc7 |
|
|
|
029dc7 |
int
|
|
|
029dc7 |
nft_rule_append(struct nft_handle *h, const char *chain, const char *table,
|
|
|
029dc7 |
- void *data, uint64_t handle, bool verbose)
|
|
|
029dc7 |
+ void *data, struct nftnl_rule *ref, bool verbose)
|
|
|
029dc7 |
{
|
|
|
029dc7 |
struct nftnl_chain *c;
|
|
|
029dc7 |
struct nftnl_rule *r;
|
|
|
029dc7 |
@@ -1202,8 +1202,9 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table,
|
|
|
029dc7 |
if (r == NULL)
|
|
|
029dc7 |
return 0;
|
|
|
029dc7 |
|
|
|
029dc7 |
- if (handle > 0) {
|
|
|
029dc7 |
- nftnl_rule_set(r, NFTNL_RULE_HANDLE, &handle);
|
|
|
029dc7 |
+ if (ref) {
|
|
|
029dc7 |
+ nftnl_rule_set_u64(r, NFTNL_RULE_HANDLE,
|
|
|
029dc7 |
+ nftnl_rule_get_u64(ref, NFTNL_RULE_HANDLE));
|
|
|
029dc7 |
type = NFT_COMPAT_RULE_REPLACE;
|
|
|
029dc7 |
} else
|
|
|
029dc7 |
type = NFT_COMPAT_RULE_APPEND;
|
|
|
029dc7 |
@@ -1216,12 +1217,17 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table,
|
|
|
029dc7 |
if (verbose)
|
|
|
029dc7 |
h->ops->print_rule(r, 0, FMT_PRINT_RULE);
|
|
|
029dc7 |
|
|
|
029dc7 |
- c = nft_chain_find(h, table, chain);
|
|
|
029dc7 |
- if (!c) {
|
|
|
029dc7 |
- errno = ENOENT;
|
|
|
029dc7 |
- return 0;
|
|
|
029dc7 |
+ if (ref) {
|
|
|
029dc7 |
+ nftnl_chain_rule_insert_at(r, ref);
|
|
|
029dc7 |
+ nftnl_chain_rule_del(r);
|
|
|
029dc7 |
+ } else {
|
|
|
029dc7 |
+ c = nft_chain_find(h, table, chain);
|
|
|
029dc7 |
+ if (!c) {
|
|
|
029dc7 |
+ errno = ENOENT;
|
|
|
029dc7 |
+ return 0;
|
|
|
029dc7 |
+ }
|
|
|
029dc7 |
+ nftnl_chain_rule_add_tail(r, c);
|
|
|
029dc7 |
}
|
|
|
029dc7 |
- nftnl_chain_rule_add_tail(r, c);
|
|
|
029dc7 |
|
|
|
029dc7 |
return 1;
|
|
|
029dc7 |
}
|
|
|
029dc7 |
@@ -2109,7 +2115,7 @@ int nft_rule_insert(struct nft_handle *h, const char *chain,
|
|
|
029dc7 |
r = nft_rule_find(h, c, data, rulenum - 1);
|
|
|
029dc7 |
if (r != NULL)
|
|
|
029dc7 |
return nft_rule_append(h, chain, table, data,
|
|
|
029dc7 |
- 0, verbose);
|
|
|
029dc7 |
+ NULL, verbose);
|
|
|
029dc7 |
|
|
|
029dc7 |
errno = ENOENT;
|
|
|
029dc7 |
goto err;
|
|
|
029dc7 |
@@ -2181,11 +2187,7 @@ int nft_rule_replace(struct nft_handle *h, const char *chain,
|
|
|
029dc7 |
(unsigned long long)
|
|
|
029dc7 |
nftnl_rule_get_u64(r, NFTNL_RULE_HANDLE));
|
|
|
029dc7 |
|
|
|
029dc7 |
- nftnl_rule_list_del(r);
|
|
|
029dc7 |
-
|
|
|
029dc7 |
- ret = nft_rule_append(h, chain, table, data,
|
|
|
029dc7 |
- nftnl_rule_get_u64(r, NFTNL_RULE_HANDLE),
|
|
|
029dc7 |
- verbose);
|
|
|
029dc7 |
+ ret = nft_rule_append(h, chain, table, data, r, verbose);
|
|
|
029dc7 |
} else
|
|
|
029dc7 |
errno = ENOENT;
|
|
|
029dc7 |
|
|
|
029dc7 |
@@ -2461,9 +2463,7 @@ int nft_rule_zero_counters(struct nft_handle *h, const char *chain,
|
|
|
029dc7 |
|
|
|
029dc7 |
cs.counters.pcnt = cs.counters.bcnt = 0;
|
|
|
029dc7 |
|
|
|
029dc7 |
- ret = nft_rule_append(h, chain, table, &cs,
|
|
|
029dc7 |
- nftnl_rule_get_u64(r, NFTNL_RULE_HANDLE),
|
|
|
029dc7 |
- false);
|
|
|
029dc7 |
+ ret = nft_rule_append(h, chain, table, &cs, r, false);
|
|
|
029dc7 |
|
|
|
029dc7 |
error:
|
|
|
029dc7 |
return ret;
|
|
|
029dc7 |
diff --git a/iptables/nft.h b/iptables/nft.h
|
|
|
029dc7 |
index dfdffd69342db..97d73c8b534be 100644
|
|
|
029dc7 |
--- a/iptables/nft.h
|
|
|
029dc7 |
+++ b/iptables/nft.h
|
|
|
029dc7 |
@@ -98,7 +98,7 @@ bool nft_chain_exists(struct nft_handle *h, const char *table, const char *chain
|
|
|
029dc7 |
*/
|
|
|
029dc7 |
struct nftnl_rule;
|
|
|
029dc7 |
|
|
|
029dc7 |
-int nft_rule_append(struct nft_handle *h, const char *chain, const char *table, void *data, uint64_t handle, bool verbose);
|
|
|
029dc7 |
+int nft_rule_append(struct nft_handle *h, const char *chain, const char *table, void *data, struct nftnl_rule *ref, bool verbose);
|
|
|
029dc7 |
int nft_rule_insert(struct nft_handle *h, const char *chain, const char *table, void *data, int rulenum, bool verbose);
|
|
|
029dc7 |
int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, void *data, bool verbose);
|
|
|
029dc7 |
int nft_rule_delete(struct nft_handle *h, const char *chain, const char *table, void *data, bool verbose);
|
|
|
029dc7 |
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
|
|
|
029dc7 |
index 2dce1a52f16fd..18cdced627c55 100644
|
|
|
029dc7 |
--- a/iptables/xtables-arp.c
|
|
|
029dc7 |
+++ b/iptables/xtables-arp.c
|
|
|
029dc7 |
@@ -825,7 +825,7 @@ append_entry(struct nft_handle *h,
|
|
|
029dc7 |
for (j = 0; j < ndaddrs; j++) {
|
|
|
029dc7 |
cs->arp.arp.tgt.s_addr = daddrs[j].s_addr;
|
|
|
029dc7 |
if (append) {
|
|
|
029dc7 |
- ret = nft_rule_append(h, chain, table, cs, 0,
|
|
|
029dc7 |
+ ret = nft_rule_append(h, chain, table, cs, NULL,
|
|
|
029dc7 |
verbose);
|
|
|
029dc7 |
} else {
|
|
|
029dc7 |
ret = nft_rule_insert(h, chain, table, cs,
|
|
|
029dc7 |
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
|
|
|
029dc7 |
index 871891442e431..4c52c29aa4817 100644
|
|
|
029dc7 |
--- a/iptables/xtables-eb.c
|
|
|
029dc7 |
+++ b/iptables/xtables-eb.c
|
|
|
029dc7 |
@@ -171,7 +171,7 @@ append_entry(struct nft_handle *h,
|
|
|
029dc7 |
int ret = 1;
|
|
|
029dc7 |
|
|
|
029dc7 |
if (append)
|
|
|
029dc7 |
- ret = nft_rule_append(h, chain, table, cs, 0, verbose);
|
|
|
029dc7 |
+ ret = nft_rule_append(h, chain, table, cs, NULL, verbose);
|
|
|
029dc7 |
else
|
|
|
029dc7 |
ret = nft_rule_insert(h, chain, table, cs, rule_nr, verbose);
|
|
|
029dc7 |
|
|
|
029dc7 |
diff --git a/iptables/xtables.c b/iptables/xtables.c
|
|
|
029dc7 |
index da11e8cc159a0..d0167e6396975 100644
|
|
|
029dc7 |
--- a/iptables/xtables.c
|
|
|
029dc7 |
+++ b/iptables/xtables.c
|
|
|
029dc7 |
@@ -406,7 +406,7 @@ add_entry(const char *chain,
|
|
|
029dc7 |
|
|
|
029dc7 |
if (append) {
|
|
|
029dc7 |
ret = nft_rule_append(h, chain, table,
|
|
|
029dc7 |
- cs, 0,
|
|
|
029dc7 |
+ cs, NULL,
|
|
|
029dc7 |
verbose);
|
|
|
029dc7 |
} else {
|
|
|
029dc7 |
ret = nft_rule_insert(h, chain, table,
|
|
|
029dc7 |
@@ -426,7 +426,7 @@ add_entry(const char *chain,
|
|
|
029dc7 |
&d.mask.v6[j], sizeof(struct in6_addr));
|
|
|
029dc7 |
if (append) {
|
|
|
029dc7 |
ret = nft_rule_append(h, chain, table,
|
|
|
029dc7 |
- cs, 0,
|
|
|
029dc7 |
+ cs, NULL,
|
|
|
029dc7 |
verbose);
|
|
|
029dc7 |
} else {
|
|
|
029dc7 |
ret = nft_rule_insert(h, chain, table,
|
|
|
029dc7 |
--
|
|
|
029dc7 |
2.21.0
|
|
|
029dc7 |
|