| Message ID | 1373978333-17427-7-git-send-email-tomasz.bursztyka@linux.intel.com |
|---|---|
| State | Not Applicable |
| Headers | show |
On Tue, Jul 16, 2013 at 03:38:50PM +0300, Tomasz Bursztyka wrote: > Fixes an output bug, it was: > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain INPUT (policy ACCEPT) > target prot opt source destination > > where it should be: > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination I have just checked this. The order is fine except by the nat table, that one has been corrected it here: http://git.netfilter.org/iptables-nftables/commit/?id=990b5aec1df02450545b57b94d3c960d9b7b1188 However, if the xtables.conf file is used, the order was reversed so I could reproduce exactly the same output that you posted here. I have fixed that by fixing the semantically of nft_*_list_add in libnftables to prepend, instead of appending. Now we have nft_*_list_add_tail, I have adapted iptables-nftables to use add_tail when needed: http://git.netfilter.org/iptables-nftables/commit/?id=5e6ed2aae9e4a8ec0a340036f485c2567635eca9 Those should be enough to resolve this issue. Thanks for the initial patch to address this issue. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Pablo, > I have just checked this. The order is fine except by the nat table, > that one has been corrected it here: > > http://git.netfilter.org/iptables-nftables/commit/?id=990b5aec1df02450545b57b94d3c960d9b7b1188 > > However, if the xtables.conf file is used, the order was reversed so I > could reproduce exactly the same output that you posted here. > > I have fixed that by fixing the semantically of nft_*_list_add in > libnftables to prepend, instead of appending. Now we have > nft_*_list_add_tail, I have adapted iptables-nftables to use add_tail > when needed: > > http://git.netfilter.org/iptables-nftables/commit/?id=5e6ed2aae9e4a8ec0a340036f485c2567635eca9 > > Those should be enough to resolve this issue. If you think it's sufficient to ensure right chain ordering then ok, as long as users don't mess up with conf/save files. I did not liked much the for loop on builtin chains anyway. Tomasz -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/iptables/nft.c b/iptables/nft.c index 230c4f7..2f03f63 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -2464,10 +2464,12 @@ static void __nft_chain_rule_list(struct nft_handle *h, struct nft_chain *c, int nft_rule_list(struct nft_handle *h, const char *chain, const char *table, int rulenum, unsigned int format) { + const struct builtin_table *t; struct nft_chain_list *list; struct nft_chain_list_iter *iter; struct nft_chain *c; bool round = false; + int i; /* If built-in chains don't exist for this table, create them */ if (nft_xtables_config_load(h, XTABLES_CONFIG_DEFAULT, 0) < 0) @@ -2482,6 +2484,22 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table, goto out; }; + /* Let's print out builtin chains first, in right order */ + t = nft_table_builtin_find(table); + if (t == NULL) + goto out; + + for (i = 0; i < NF_IP_NUMHOOKS && t->chains[i].name != NULL; i++) { + if (round) + printf("\n"); + + c = nft_chain_list_find(list, table, t->chains[i].name); + if (c != NULL) { + __nft_chain_rule_list(h, c, table, rulenum, format); + round = true; + } + } + iter = nft_chain_list_iter_create(list); if (iter == NULL) goto out; @@ -2494,12 +2512,12 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table, if (strcmp(table, chain_table) != 0) goto next; - if (round) - printf("\n"); + /* we skip already listed builtin chains */ + if (nft_chain_builtin(c)) + goto next; + printf("\n"); __nft_chain_rule_list(h, c, table, rulenum, format); - - round = true; next: c = nft_chain_list_iter_next(iter); }
Fixes an output bug, it was: Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination where it should be: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> --- iptables/nft.c | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-)