|
|
df4535 |
From 86bf4207cb744c38807fb5c42c5921fc9964a2af Mon Sep 17 00:00:00 2001
|
|
|
df4535 |
From: Phil Sutter <phil@nwl.cc>
|
|
|
df4535 |
Date: Fri, 4 Mar 2022 12:50:01 +0100
|
|
|
df4535 |
Subject: [PATCH] libxtables: Boost rule target checks by announcing chain
|
|
|
df4535 |
names
|
|
|
df4535 |
|
|
|
df4535 |
When restoring a ruleset, feed libxtables with chain names from
|
|
|
df4535 |
respective lines to avoid an extension search.
|
|
|
df4535 |
|
|
|
df4535 |
While the user's intention is clear, this effectively disables the
|
|
|
df4535 |
sanity check for clashes with target extensions. But:
|
|
|
df4535 |
|
|
|
df4535 |
* The check yielded only a warning and the clashing chain was finally
|
|
|
df4535 |
accepted.
|
|
|
df4535 |
|
|
|
df4535 |
* Users crafting iptables dumps for feeding into iptables-restore likely
|
|
|
df4535 |
know what they're doing.
|
|
|
df4535 |
|
|
|
df4535 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
df4535 |
Acked-by: Florian Westphal <fw@strlen.de>
|
|
|
df4535 |
(cherry picked from commit ac4c84cc63d3cc021ca532692885a644fcde4518)
|
|
|
df4535 |
---
|
|
|
df4535 |
include/xtables.h | 3 +++
|
|
|
df4535 |
iptables/iptables-restore.c | 1 +
|
|
|
df4535 |
iptables/xtables-restore.c | 1 +
|
|
|
df4535 |
libxtables/xtables.c | 6 ++++++
|
|
|
df4535 |
4 files changed, 11 insertions(+)
|
|
|
df4535 |
|
|
|
df4535 |
diff --git a/include/xtables.h b/include/xtables.h
|
|
|
df4535 |
index 4aa084a1a2a30..d77a73a4303a7 100644
|
|
|
df4535 |
--- a/include/xtables.h
|
|
|
df4535 |
+++ b/include/xtables.h
|
|
|
df4535 |
@@ -632,6 +632,9 @@ void xt_xlate_add_comment(struct xt_xlate *xl, const char *comment);
|
|
|
df4535 |
const char *xt_xlate_get_comment(struct xt_xlate *xl);
|
|
|
df4535 |
const char *xt_xlate_get(struct xt_xlate *xl);
|
|
|
df4535 |
|
|
|
df4535 |
+/* informed target lookups */
|
|
|
df4535 |
+void xtables_announce_chain(const char *name);
|
|
|
df4535 |
+
|
|
|
df4535 |
#ifdef XTABLES_INTERNAL
|
|
|
df4535 |
|
|
|
df4535 |
/* Shipped modules rely on this... */
|
|
|
df4535 |
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
|
|
|
df4535 |
index b0a51d491c508..339abaa32a055 100644
|
|
|
df4535 |
--- a/iptables/iptables-restore.c
|
|
|
df4535 |
+++ b/iptables/iptables-restore.c
|
|
|
df4535 |
@@ -309,6 +309,7 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb,
|
|
|
df4535 |
cb->ops->strerror(errno));
|
|
|
df4535 |
}
|
|
|
df4535 |
|
|
|
df4535 |
+ xtables_announce_chain(chain);
|
|
|
df4535 |
ret = 1;
|
|
|
df4535 |
|
|
|
df4535 |
} else if (in_table) {
|
|
|
df4535 |
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
|
|
|
df4535 |
index a078da32045dc..41e7cb7661464 100644
|
|
|
df4535 |
--- a/iptables/xtables-restore.c
|
|
|
df4535 |
+++ b/iptables/xtables-restore.c
|
|
|
df4535 |
@@ -150,6 +150,7 @@ static void xtables_restore_parse_line(struct nft_handle *h,
|
|
|
df4535 |
"%s: line %u chain name invalid\n",
|
|
|
df4535 |
xt_params->program_name, line);
|
|
|
df4535 |
|
|
|
df4535 |
+ xtables_announce_chain(chain);
|
|
|
df4535 |
assert_valid_chain_name(chain);
|
|
|
df4535 |
|
|
|
df4535 |
policy = strtok(NULL, " \t\n");
|
|
|
df4535 |
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
|
|
|
df4535 |
index 1e1c218df7441..4aee74acb6816 100644
|
|
|
df4535 |
--- a/libxtables/xtables.c
|
|
|
df4535 |
+++ b/libxtables/xtables.c
|
|
|
df4535 |
@@ -274,6 +274,12 @@ static void notargets_hlist_insert(const char *name)
|
|
|
df4535 |
hlist_add_head(&cur->node, ¬argets[djb_hash(name) % NOTARGET_HSIZE]);
|
|
|
df4535 |
}
|
|
|
df4535 |
|
|
|
df4535 |
+void xtables_announce_chain(const char *name)
|
|
|
df4535 |
+{
|
|
|
df4535 |
+ if (!notargets_hlist_lookup(name))
|
|
|
df4535 |
+ notargets_hlist_insert(name);
|
|
|
df4535 |
+}
|
|
|
df4535 |
+
|
|
|
df4535 |
void xtables_init(void)
|
|
|
df4535 |
{
|
|
|
df4535 |
xtables_libdir = getenv("XTABLES_LIBDIR");
|
|
|
df4535 |
--
|
|
|
df4535 |
2.34.1
|
|
|
df4535 |
|