rpms / iptables

Clone
Source Code
GIT

Blame SOURCES/0038-arptables-nft-Don-t-print-default-h-len-h-type-value.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   ba7f2eb66499ec1b497d877fed53690b51ec45b3
  2.   SOURCES
  3.   0038-arptables-nft-Don-t-print-default-h-len-h-type-value.patch
Blob History Raw
8cce6c 
From 65303eb285ba082c24b2f2150918d63ed6c8398f Mon Sep 17 00:00:00 2001
8cce6c 
From: Phil Sutter <phil@nwl.cc>
8cce6c 
Date: Thu, 31 Jan 2019 16:12:55 +0100
8cce6c 
Subject: [PATCH] arptables-nft: Don't print default h-len/h-type values
8cce6c
8cce6c 
Default values for --h-len and --h-type being printed for rules where
8cce6c 
user didn't provide them is unexpected and confusing. The drawback is
8cce6c 
the opposite: If user provided either of them with their default value,
8cce6c 
they are later omitted when listing rules. Though since unlike legacy
8cce6c 
arptables we can't distinguish between not specified and specified with
8cce6c 
default value, we can't fix both - so choose to optimize for the more
8cce6c 
likely case.
8cce6c
8cce6c 
Fixes: 5aecb2d8bfdda ("arptables: pre-init hlen and ethertype")
8cce6c 
Signed-off-by: Phil Sutter <phil@nwl.cc>
8cce6c 
Signed-off-by: Florian Westphal <fw@strlen.de>
8cce6c 
(cherry picked from commit 84331e3ed3f8eb9d53c00c221113ad16b209968a)
8cce6c 
Signed-off-by: Phil Sutter <psutter@redhat.com>
8cce6c 
---
8cce6c 
 iptables/nft-arp.c                            |  4 +--
8cce6c 
 .../arptables/0001-arptables-save-restore_0   | 32 +++++++++----------
8cce6c 
 .../0002-arptables-restore-defaults_0         |  6 ++--
8cce6c 
 3 files changed, 21 insertions(+), 21 deletions(-)
8cce6c
8cce6c 
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
8cce6c 
index 2cbdf23214049..37b0985377bef 100644
8cce6c 
--- a/iptables/nft-arp.c
8cce6c 
+++ b/iptables/nft-arp.c
8cce6c 
@@ -537,7 +537,7 @@ after_devsrc:
8cce6c
8cce6c 
 after_devdst:
8cce6c
8cce6c 
-	if (fw->arp.arhln_mask != 0) {
8cce6c 
+	if (fw->arp.arhln_mask != 255 || fw->arp.arhln != 6) {
8cce6c 
 		printf("%s%s", sep, fw->arp.invflags & ARPT_INV_ARPHLN
8cce6c 
 			? "! " : "");
8cce6c 
 		printf("--h-length %d", fw->arp.arhln);
8cce6c 
@@ -561,7 +561,7 @@ after_devdst:
8cce6c 
 		sep = " ";
8cce6c 
 	}
8cce6c
8cce6c 
-	if (fw->arp.arhrd_mask != 0) {
8cce6c 
+	if (fw->arp.arhrd_mask != 65535 || fw->arp.arhrd != htons(1)) {
8cce6c 
 		uint16_t tmp = ntohs(fw->arp.arhrd);
8cce6c
8cce6c 
 		printf("%s%s", sep, fw->arp.invflags & ARPT_INV_ARPHRD
8cce6c 
diff --git a/iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0 b/iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0
8cce6c 
index 0664e3b38d5e8..e10f61cc8f95b 100755
8cce6c 
--- a/iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0
8cce6c 
+++ b/iptables/tests/shell/testcases/arptables/0001-arptables-save-restore_0
8cce6c 
@@ -35,22 +35,22 @@ DUMP='*filter
8cce6c 
 :INPUT ACCEPT
8cce6c 
 :OUTPUT DROP
8cce6c 
 :foo -
8cce6c 
--A INPUT -j ACCEPT -s 10.0.0.0/8 --h-length 6 --h-type 1
8cce6c 
--A INPUT -j ACCEPT -d 192.168.123.1 --h-length 6 --h-type 1
8cce6c 
--A INPUT -j ACCEPT --src-mac fe:ed:ba:be:00:01 --h-length 6 --h-type 1
8cce6c 
--A INPUT -j ACCEPT --dst-mac fe:ed:ba:be:00:01 --h-length 6 --h-type 1
8cce6c 
--A INPUT -j foo --h-length 6 --h-type 1
8cce6c 
--A INPUT  --h-length 6 --h-type 1
8cce6c 
--A OUTPUT -j ACCEPT -o lo --h-length 6 --h-type 1
8cce6c 
--A OUTPUT -j mangle -o eth134 --h-length 6 --h-type 1 --mangle-ip-s 10.0.0.1
8cce6c 
--A OUTPUT -j CLASSIFY -o eth432 --h-length 6 --h-type 1 --set-class feed:babe
8cce6c 
--A OUTPUT -j CLASSIFY -o eth432 --h-length 6 --opcode 1 --h-type 1 --set-class feed:babe
8cce6c 
--A foo -j ACCEPT -i lo --h-length 6 --h-type 1
8cce6c 
--A foo -j ACCEPT --h-length 6 --h-type 1
8cce6c 
--A foo -j MARK --h-length 6 --h-type 1 --set-mark 12345
8cce6c 
--A foo -j ACCEPT --h-length 6 --opcode 1 --h-type 1
8cce6c 
--A foo -j ACCEPT --h-length 6 --h-type 1 --proto-type 0x800
8cce6c 
--A foo -j ACCEPT -i lo --h-length 6 --opcode 1 --h-type 1 --proto-type 0x800
8cce6c 
+-A INPUT -j ACCEPT -s 10.0.0.0/8
8cce6c 
+-A INPUT -j ACCEPT -d 192.168.123.1
8cce6c 
+-A INPUT -j ACCEPT --src-mac fe:ed:ba:be:00:01
8cce6c 
+-A INPUT -j ACCEPT --dst-mac fe:ed:ba:be:00:01
8cce6c 
+-A INPUT -j foo
8cce6c 
+-A INPUT
8cce6c 
+-A OUTPUT -j ACCEPT -o lo
8cce6c 
+-A OUTPUT -j mangle -o eth134 --mangle-ip-s 10.0.0.1
8cce6c 
+-A OUTPUT -j CLASSIFY -o eth432 --set-class feed:babe
8cce6c 
+-A OUTPUT -j CLASSIFY -o eth432 --opcode 1 --set-class feed:babe
8cce6c 
+-A foo -j ACCEPT -i lo
8cce6c 
+-A foo -j ACCEPT
8cce6c 
+-A foo -j MARK --set-mark 12345
8cce6c 
+-A foo -j ACCEPT --opcode 1
8cce6c 
+-A foo -j ACCEPT --proto-type 0x800
8cce6c 
+-A foo -j ACCEPT -i lo --opcode 1 --proto-type 0x800
8cce6c 
 '
8cce6c
8cce6c 
 diff -u <(echo -e "$DUMP") <($XT_MULTI arptables-save)
8cce6c 
diff --git a/iptables/tests/shell/testcases/arptables/0002-arptables-restore-defaults_0 b/iptables/tests/shell/testcases/arptables/0002-arptables-restore-defaults_0
8cce6c 
index d742c3d506305..b2ed95e87bb40 100755
8cce6c 
--- a/iptables/tests/shell/testcases/arptables/0002-arptables-restore-defaults_0
8cce6c 
+++ b/iptables/tests/shell/testcases/arptables/0002-arptables-restore-defaults_0
8cce6c 
@@ -11,7 +11,7 @@ set -e
8cce6c 
 DUMP='*filter
8cce6c 
 :OUTPUT ACCEPT
8cce6c 
 -A OUTPUT -j mangle --mangle-ip-s 10.0.0.1
8cce6c 
--A OUTPUT -j mangle --h-length 6 --h-type 1 --mangle-ip-d 10.0.0.2
8cce6c 
+-A OUTPUT -j mangle --mangle-ip-d 10.0.0.2
8cce6c 
 '
8cce6c
8cce6c 
 # note how mangle-ip-s is unset in second rule
8cce6c 
@@ -19,8 +19,8 @@ DUMP='*filter
8cce6c 
 EXPECT='*filter
8cce6c 
 :INPUT ACCEPT
8cce6c 
 :OUTPUT ACCEPT
8cce6c 
--A OUTPUT -j mangle --h-length 6 --h-type 1 --mangle-ip-s 10.0.0.1
8cce6c 
--A OUTPUT -j mangle --h-length 6 --h-type 1 --mangle-ip-d 10.0.0.2
8cce6c 
+-A OUTPUT -j mangle --mangle-ip-s 10.0.0.1
8cce6c 
+-A OUTPUT -j mangle --mangle-ip-d 10.0.0.2
8cce6c 
 '
8cce6c
8cce6c 
 $XT_MULTI arptables -F
8cce6c 
--
8cce6c 
2.20.1
8cce6c

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation