| Message ID | CAEyr1FRKpudN76NbA-o0MAsMy8XpPFjBwviSy4xtWB46LcCekw@mail.gmail.com |
|---|---|
| State | Superseded |
| Headers | show |
On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote: > This patch fixes the issue where , the Rules are added for non > existent interface and unable to delete. > eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows > you to add the rule , where eth10.10 interface is not created. > But will not allow to delete as the label maps to * by if_nametoindex(). This patch doesn't apply: patch -p1 < /tmp/anand.patch patching file iptables/nft-shared.c patch: **** malformed patch at line 6: *iface, int invflags) Please, no need to split things in that many chunks per file. One single patch file to address one thing is just fine, the repository has to remain in consistent state between patches. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Oct 11, 2013 at 1:45 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote: >> This patch fixes the issue where , the Rules are added for non >> existent interface and unable to delete. >> eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows >> you to add the rule , where eth10.10 interface is not created. >> But will not allow to delete as the label maps to * by if_nametoindex(). > > This patch doesn't apply: > > patch -p1 < /tmp/anand.patch > patching file iptables/nft-shared.c > patch: **** malformed patch at line 6: *iface, int invflags) > > Please, no need to split things in that many chunks per file. One > single patch file to address one thing is just fine, the repository > has to remain in consistent state between patches. > > Thanks. Merged all into a single patch. Thanks, Anand
On Fri, Oct 11, 2013 at 03:05:05PM +0530, Anand Raj Manickam wrote: > On Fri, Oct 11, 2013 at 1:45 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote: > >> This patch fixes the issue where , the Rules are added for non > >> existent interface and unable to delete. > >> eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows > >> you to add the rule , where eth10.10 interface is not created. > >> But will not allow to delete as the label maps to * by if_nametoindex(). > > > > This patch doesn't apply: > > > > patch -p1 < /tmp/anand.patch > > patching file iptables/nft-shared.c > > patch: **** malformed patch at line 6: *iface, int invflags) > > > > Please, no need to split things in that many chunks per file. One > > single patch file to address one thing is just fine, the repository > > has to remain in consistent state between patches. > > > > Thanks. > > Merged all into a single patch. I still think this still breaks -i eth+ matching, as there was special handling for that case. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Oct 11, 2013 at 3:20 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Fri, Oct 11, 2013 at 03:05:05PM +0530, Anand Raj Manickam wrote: >> On Fri, Oct 11, 2013 at 1:45 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: >> > On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote: >> >> This patch fixes the issue where , the Rules are added for non >> >> existent interface and unable to delete. >> >> eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows >> >> you to add the rule , where eth10.10 interface is not created. >> >> But will not allow to delete as the label maps to * by if_nametoindex(). >> > >> > This patch doesn't apply: >> > >> > patch -p1 < /tmp/anand.patch >> > patching file iptables/nft-shared.c >> > patch: **** malformed patch at line 6: *iface, int invflags) >> > >> > Please, no need to split things in that many chunks per file. One >> > single patch file to address one thing is just fine, the repository >> > has to remain in consistent state between patches. >> > >> > Thanks. >> >> Merged all into a single patch. > > I still think this still breaks -i eth+ matching, as there was special > handling for that case. Can you share me the exact case ? It does NOT work on rules added before patch. The patch looks good on my setup.. xtables -I INPUT -i eth+ -j ACCEPT xtables -L INPUT -nv Chain INPUT (policy ACCEPT 142K packets, 19M bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth+ * 0.0.0.0/0 0.0.0.0/0 # xtables -D INPUT -i eth+ -j ACCEPT comparing with... -A INPUT -c 0 0 -i eth+ -j ACCEPT DEBUG: rule: ip filter INPUT 29 0 [ meta load iifname => reg 1 ] [ cmp eq reg 1 0x2b687465 ] [ counter pkts 0 bytes 0 ] [ immediate reg 0 1 ] -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Oct 11, 2013 at 03:37:34PM +0530, Anand Raj Manickam wrote: > On Fri, Oct 11, 2013 at 3:20 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > On Fri, Oct 11, 2013 at 03:05:05PM +0530, Anand Raj Manickam wrote: > >> On Fri, Oct 11, 2013 at 1:45 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > >> > On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote: > >> >> This patch fixes the issue where , the Rules are added for non > >> >> existent interface and unable to delete. > >> >> eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows > >> >> you to add the rule , where eth10.10 interface is not created. > >> >> But will not allow to delete as the label maps to * by if_nametoindex(). > >> > > >> > This patch doesn't apply: > >> > > >> > patch -p1 < /tmp/anand.patch > >> > patching file iptables/nft-shared.c > >> > patch: **** malformed patch at line 6: *iface, int invflags) > >> > > >> > Please, no need to split things in that many chunks per file. One > >> > single patch file to address one thing is just fine, the repository > >> > has to remain in consistent state between patches. > >> > > >> > Thanks. > >> > >> Merged all into a single patch. > > > > I still think this still breaks -i eth+ matching, as there was special > > handling for that case. > > Can you share me the exact case ? It does NOT work on rules added before patch. > > The patch looks good on my setup.. > xtables -I INPUT -i eth+ -j ACCEPT > > xtables -L INPUT -nv > Chain INPUT (policy ACCEPT 142K packets, 19M bytes) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- eth+ * 0.0.0.0/0 > 0.0.0.0/0 > > # xtables -D INPUT -i eth+ -j ACCEPT > comparing with... -A INPUT -c 0 0 -i eth+ -j ACCEPT > DEBUG: rule: ip filter INPUT 29 0 > [ meta load iifname => reg 1 ] > [ cmp eq reg 1 0x2b687465 ] > [ counter pkts 0 bytes 0 ] > [ immediate reg 0 1 ] I guess that seems to work by adding/removing rules, but packet matching won't work since from the kernel side it will strictly compare the string, eg. eth0 == eth+. Note that eth+ means we want to match all interfaces starting by 'eth' -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 25cb177..407f650 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -145,13 +145,9 @@ void add_outiface(struct nft_rule *r, char *iface, int invflags) else op = NFT_CMP_EQ; - if (iface[iface_len - 1] == '+') { - add_meta(r, NFT_META_OIFNAME); - add_cmp_ptr(r, op, iface, iface_len - 1); - } else { - add_meta(r, NFT_META_OIF); - add_cmp_u32(r, if_nametoindex(iface), op); - } + /*Removed NFT_META_OIF , will stick to NFT_META_OIFNAME as in iptables */ + add_meta(r, NFT_META_OIFNAME); + add_cmp_ptr(r, op, iface, iface_len); }
This patch fixes the issue where , the Rules are added for non existent interface and unable to delete. eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows you to add the rule , where eth10.10 interface is not created. But will not allow to delete as the label maps to * by if_nametoindex(). void add_addr(struct nft_rule *r, int offset, @@ -267,15 +263,15 @@ void parse_meta(struct nft_rule_expr *e, uint8_t key, char *iniface, *invflags |= IPT_INV_VIA_OUT; memcpy(outiface, ifname, len); - outiface[len] = '\0'; - /* If zero, then this is an interface mask */ - if (if_nametoindex(outiface) == 0) { - outiface[len] = '+'; - outiface[len+1] = '\0'; - } + if (outiface[len -1] == '+') { + outiface[len] = '\0'; + memset(outiface_mask, 0xff, (len - 1)); + } else { + outiface[len + 1 ] = '\0'; + memset(outiface_mask, 0xff, (len + 1)); + } - memset(outiface_mask, 0xff, len); break; default: DEBUGP("unknown meta key %d\n", key); -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html