|
|
9c64ad |
commit 9b8cb7564a53865bf0e239bbc3e057de70edf65d
|
|
|
9c64ad |
Author: Dan Williams <dcbw@redhat.com>
|
|
|
9c64ad |
Date: Sat Feb 25 22:02:03 2017 -0600
|
|
|
9c64ad |
|
|
|
9c64ad |
libiptc: don't set_changed() when checking rules with module jumps
|
|
|
9c64ad |
|
|
|
9c64ad |
Checking a rule that includes a jump to a module-based target currently
|
|
|
9c64ad |
sets the "changed" flag on the handle, which then causes TC_COMMIT() to
|
|
|
9c64ad |
run through the whole SO_SET_REPLACE/SO_SET_ADD_COUNTERS path. This
|
|
|
9c64ad |
seems wrong for simply checking rules, an operation which is documented
|
|
|
9c64ad |
as "...does not alter the existing iptables configuration..." but yet
|
|
|
9c64ad |
it clearly could do so.
|
|
|
9c64ad |
|
|
|
9c64ad |
Fix that by ensuring that rule check operations for module targets
|
|
|
9c64ad |
don't set the changed flag, and thus exit early from TC_COMMIT().
|
|
|
9c64ad |
|
|
|
9c64ad |
Signed-off-by: Dan Williams <dcbw@redhat.com>
|
|
|
9c64ad |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
9c64ad |
|
|
|
9c64ad |
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
|
|
|
9c64ad |
index 2c66d04..a6e7057 100644
|
|
|
9c64ad |
--- a/libiptc/libiptc.c
|
|
|
9c64ad |
+++ b/libiptc/libiptc.c
|
|
|
9c64ad |
@@ -1686,7 +1686,8 @@ iptcc_standard_map(struct rule_head *r, int verdict)
|
|
|
9c64ad |
|
|
|
9c64ad |
static int
|
|
|
9c64ad |
iptcc_map_target(struct xtc_handle *const handle,
|
|
|
9c64ad |
- struct rule_head *r)
|
|
|
9c64ad |
+ struct rule_head *r,
|
|
|
9c64ad |
+ bool dry_run)
|
|
|
9c64ad |
{
|
|
|
9c64ad |
STRUCT_ENTRY *e = r->entry;
|
|
|
9c64ad |
STRUCT_ENTRY_TARGET *t = GET_TARGET(e);
|
|
|
9c64ad |
@@ -1731,7 +1732,8 @@ iptcc_map_target(struct xtc_handle *const handle,
|
|
|
9c64ad |
0,
|
|
|
9c64ad |
FUNCTION_MAXNAMELEN - 1 - strlen(t->u.user.name));
|
|
|
9c64ad |
r->type = IPTCC_R_MODULE;
|
|
|
9c64ad |
- set_changed(handle);
|
|
|
9c64ad |
+ if (!dry_run)
|
|
|
9c64ad |
+ set_changed(handle);
|
|
|
9c64ad |
return 1;
|
|
|
9c64ad |
}
|
|
|
9c64ad |
|
|
|
9c64ad |
@@ -1781,7 +1783,7 @@ TC_INSERT_ENTRY(const IPT_CHAINLABEL chain,
|
|
|
9c64ad |
memcpy(r->entry, e, e->next_offset);
|
|
|
9c64ad |
r->counter_map.maptype = COUNTER_MAP_SET;
|
|
|
9c64ad |
|
|
|
9c64ad |
- if (!iptcc_map_target(handle, r)) {
|
|
|
9c64ad |
+ if (!iptcc_map_target(handle, r, false)) {
|
|
|
9c64ad |
free(r);
|
|
|
9c64ad |
return 0;
|
|
|
9c64ad |
}
|
|
|
9c64ad |
@@ -1831,7 +1833,7 @@ TC_REPLACE_ENTRY(const IPT_CHAINLABEL chain,
|
|
|
9c64ad |
memcpy(r->entry, e, e->next_offset);
|
|
|
9c64ad |
r->counter_map.maptype = COUNTER_MAP_SET;
|
|
|
9c64ad |
|
|
|
9c64ad |
- if (!iptcc_map_target(handle, r)) {
|
|
|
9c64ad |
+ if (!iptcc_map_target(handle, r, false)) {
|
|
|
9c64ad |
free(r);
|
|
|
9c64ad |
return 0;
|
|
|
9c64ad |
}
|
|
|
9c64ad |
@@ -1870,7 +1872,7 @@ TC_APPEND_ENTRY(const IPT_CHAINLABEL chain,
|
|
|
9c64ad |
memcpy(r->entry, e, e->next_offset);
|
|
|
9c64ad |
r->counter_map.maptype = COUNTER_MAP_SET;
|
|
|
9c64ad |
|
|
|
9c64ad |
- if (!iptcc_map_target(handle, r)) {
|
|
|
9c64ad |
+ if (!iptcc_map_target(handle, r, false)) {
|
|
|
9c64ad |
DEBUGP("unable to map target of rule for chain `%s'\n", chain);
|
|
|
9c64ad |
free(r);
|
|
|
9c64ad |
return 0;
|
|
|
9c64ad |
@@ -1976,7 +1978,7 @@ static int delete_entry(const IPT_CHAINLABEL chain, const STRUCT_ENTRY *origfw,
|
|
|
9c64ad |
|
|
|
9c64ad |
memcpy(r->entry, origfw, origfw->next_offset);
|
|
|
9c64ad |
r->counter_map.maptype = COUNTER_MAP_NOMAP;
|
|
|
9c64ad |
- if (!iptcc_map_target(handle, r)) {
|
|
|
9c64ad |
+ if (!iptcc_map_target(handle, r, dry_run)) {
|
|
|
9c64ad |
DEBUGP("unable to map target of rule for chain `%s'\n", chain);
|
|
|
9c64ad |
free(r);
|
|
|
9c64ad |
return 0;
|