rpms / iptables

Clone
Source Code
GIT

Blame SOURCES/iptables-do_not_set_changed_for_check_options.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   43df5c61e90bc3e0bef6dab4f74eb2f94f6d388c
  2.   SOURCES
  3.   iptables-do_not_set_changed_for_check_options.patch
Blob History Raw
43df5c 
commit 9b8cb7564a53865bf0e239bbc3e057de70edf65d
43df5c 
Author: Dan Williams <dcbw@redhat.com>
43df5c 
Date:   Sat Feb 25 22:02:03 2017 -0600
43df5c
43df5c 
    libiptc: don't set_changed() when checking rules with module jumps
43df5c
43df5c 
    Checking a rule that includes a jump to a module-based target currently
43df5c 
    sets the "changed" flag on the handle, which then causes TC_COMMIT() to
43df5c 
    run through the whole SO_SET_REPLACE/SO_SET_ADD_COUNTERS path.  This
43df5c 
    seems wrong for simply checking rules, an operation which is documented
43df5c 
    as "...does not alter the existing iptables configuration..." but yet
43df5c 
    it clearly could do so.
43df5c
43df5c 
    Fix that by ensuring that rule check operations for module targets
43df5c 
    don't set the changed flag, and thus exit early from TC_COMMIT().
43df5c
43df5c 
    Signed-off-by: Dan Williams <dcbw@redhat.com>
43df5c 
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
43df5c
43df5c 
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
43df5c 
index 2c66d04..a6e7057 100644
43df5c 
--- a/libiptc/libiptc.c
43df5c 
+++ b/libiptc/libiptc.c
43df5c 
@@ -1686,7 +1686,8 @@ iptcc_standard_map(struct rule_head *r, int verdict)
43df5c
43df5c 
 static int
43df5c 
 iptcc_map_target(struct xtc_handle *const handle,
43df5c 
-	   struct rule_head *r)
43df5c 
+	   struct rule_head *r,
43df5c 
+	   bool dry_run)
43df5c 
 {
43df5c 
 	STRUCT_ENTRY *e = r->entry;
43df5c 
 	STRUCT_ENTRY_TARGET *t = GET_TARGET(e);
43df5c 
@@ -1731,7 +1732,8 @@ iptcc_map_target(struct xtc_handle *const handle,
43df5c 
 	       0,
43df5c 
 	       FUNCTION_MAXNAMELEN - 1 - strlen(t->u.user.name));
43df5c 
 	r->type = IPTCC_R_MODULE;
43df5c 
-	set_changed(handle);
43df5c 
+	if (!dry_run)
43df5c 
+		set_changed(handle);
43df5c 
 	return 1;
43df5c 
 }
43df5c
43df5c 
@@ -1781,7 +1783,7 @@ TC_INSERT_ENTRY(const IPT_CHAINLABEL chain,
43df5c 
 	memcpy(r->entry, e, e->next_offset);
43df5c 
 	r->counter_map.maptype = COUNTER_MAP_SET;
43df5c
43df5c 
-	if (!iptcc_map_target(handle, r)) {
43df5c 
+	if (!iptcc_map_target(handle, r, false)) {
43df5c 
 		free(r);
43df5c 
 		return 0;
43df5c 
 	}
43df5c 
@@ -1831,7 +1833,7 @@ TC_REPLACE_ENTRY(const IPT_CHAINLABEL chain,
43df5c 
 	memcpy(r->entry, e, e->next_offset);
43df5c 
 	r->counter_map.maptype = COUNTER_MAP_SET;
43df5c
43df5c 
-	if (!iptcc_map_target(handle, r)) {
43df5c 
+	if (!iptcc_map_target(handle, r, false)) {
43df5c 
 		free(r);
43df5c 
 		return 0;
43df5c 
 	}
43df5c 
@@ -1870,7 +1872,7 @@ TC_APPEND_ENTRY(const IPT_CHAINLABEL chain,
43df5c 
 	memcpy(r->entry, e, e->next_offset);
43df5c 
 	r->counter_map.maptype = COUNTER_MAP_SET;
43df5c
43df5c 
-	if (!iptcc_map_target(handle, r)) {
43df5c 
+	if (!iptcc_map_target(handle, r, false)) {
43df5c 
 		DEBUGP("unable to map target of rule for chain `%s'\n", chain);
43df5c 
 		free(r);
43df5c 
 		return 0;
43df5c 
@@ -1976,7 +1978,7 @@ static int delete_entry(const IPT_CHAINLABEL chain, const STRUCT_ENTRY *origfw,
43df5c
43df5c 
 	memcpy(r->entry, origfw, origfw->next_offset);
43df5c 
 	r->counter_map.maptype = COUNTER_MAP_NOMAP;
43df5c 
-	if (!iptcc_map_target(handle, r)) {
43df5c 
+	if (!iptcc_map_target(handle, r, dry_run)) {
43df5c 
 		DEBUGP("unable to map target of rule for chain `%s'\n", chain);
43df5c 
 		free(r);
43df5c 
 		return 0;

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation