Message ID | 20190910211059.9872-1-fw@strlen.de |
---|---|
State | Accepted |
Delegated to: | Pablo Neira |
Headers | show |
Series | [ebtables-nft] ebtables: fix over-eager -o checks on custom chains | expand |
On Tue, Sep 10, 2019 at 11:10:59PM +0200, Florian Westphal wrote: > Arturo reports ebtables-nft reports an error when -o is > used in custom chains: > > -A MYCHAIN -o someif > makes ebtables-nft exit with an error: > "Use -o only in OUTPUT, FORWARD and POSTROUTING chains." > > Problem is that all the "-o" checks expect <= NF_BR_POST_ROUTING > to mean "builtin", so -1 mistakenly leads to the checks being active. LGTM.
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index 121ecbecd0b6..3b03daef28eb 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -197,7 +197,8 @@ int ebt_get_current_chain(const char *chain) else if (strcmp(chain, "POSTROUTING") == 0) return NF_BR_POST_ROUTING; - return -1; + /* placeholder for user defined chain */ + return NF_BR_NUMHOOKS; } /* @@ -1223,7 +1224,7 @@ print_zero: cs.eb.ethproto = htons(cs.eb.ethproto); if (command == 'P') { - if (selected_chain < 0) { + if (selected_chain >= NF_BR_NUMHOOKS) { ret = ebt_set_user_chain_policy(h, *table, chain, policy); } else { if (strcmp(policy, "RETURN") == 0) {
Arturo reports ebtables-nft reports an error when -o is used in custom chains: -A MYCHAIN -o someif makes ebtables-nft exit with an error: "Use -o only in OUTPUT, FORWARD and POSTROUTING chains." Problem is that all the "-o" checks expect <= NF_BR_POST_ROUTING to mean "builtin", so -1 mistakenly leads to the checks being active. Reported-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1347 Signed-off-by: Florian Westphal <fw@strlen.de> --- iptables/xtables-eb.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)