Patchwork iptables-nftables nft: Removes if_nametoindex ,NFT_META_OIF for outiface

login
register
mail settings
Submitter Anand Raj Manickam
Date Oct. 11, 2013, 6:04 a.m.
Message ID <CAEyr1FRKpudN76NbA-o0MAsMy8XpPFjBwviSy4xtWB46LcCekw@mail.gmail.com>
Download mbox | patch
Permalink /patch/282529/
State Superseded
Headers show

Comments

Anand Raj Manickam - Oct. 11, 2013, 6:04 a.m.
This patch fixes the issue where , the Rules are added for non
existent interface and unable to delete.
eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows
you to add the rule , where eth10.10 interface is not created.
But will not allow to delete as the label maps to * by  if_nametoindex().




 void add_addr(struct nft_rule *r, int offset,
@@ -267,15 +263,15 @@ void parse_meta(struct nft_rule_expr *e, uint8_t
key, char *iniface,
                        *invflags |= IPT_INV_VIA_OUT;

                memcpy(outiface, ifname, len);
-               outiface[len] = '\0';

-               /* If zero, then this is an interface mask */
-               if (if_nametoindex(outiface) == 0) {
-                       outiface[len] = '+';
-                       outiface[len+1] = '\0';
-               }
+               if (outiface[len -1] == '+') {
+                                outiface[len] = '\0';
+                                memset(outiface_mask, 0xff, (len - 1));
+               } else {
+                                outiface[len + 1 ] = '\0';
+                                memset(outiface_mask, 0xff, (len + 1));
+               }

-               memset(outiface_mask, 0xff, len);
                break;
        default:
                DEBUGP("unknown meta key %d\n", key);
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira - Oct. 11, 2013, 8:15 a.m.
On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote:
> This patch fixes the issue where , the Rules are added for non
> existent interface and unable to delete.
> eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows
> you to add the rule , where eth10.10 interface is not created.
> But will not allow to delete as the label maps to * by  if_nametoindex().

This patch doesn't apply:

patch -p1 < /tmp/anand.patch
patching file iptables/nft-shared.c
patch: **** malformed patch at line 6: *iface, int invflags)

Please, no need to split things in that many chunks per file. One
single patch file to address one thing is just fine, the repository
has to remain in consistent state between patches.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Anand Raj Manickam - Oct. 11, 2013, 9:35 a.m.
On Fri, Oct 11, 2013 at 1:45 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote:
>> This patch fixes the issue where , the Rules are added for non
>> existent interface and unable to delete.
>> eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows
>> you to add the rule , where eth10.10 interface is not created.
>> But will not allow to delete as the label maps to * by  if_nametoindex().
>
> This patch doesn't apply:
>
> patch -p1 < /tmp/anand.patch
> patching file iptables/nft-shared.c
> patch: **** malformed patch at line 6: *iface, int invflags)
>
> Please, no need to split things in that many chunks per file. One
> single patch file to address one thing is just fine, the repository
> has to remain in consistent state between patches.
>
> Thanks.

Merged all into a single patch.
Thanks,
Anand
Pablo Neira - Oct. 11, 2013, 9:50 a.m.
On Fri, Oct 11, 2013 at 03:05:05PM +0530, Anand Raj Manickam wrote:
> On Fri, Oct 11, 2013 at 1:45 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote:
> >> This patch fixes the issue where , the Rules are added for non
> >> existent interface and unable to delete.
> >> eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows
> >> you to add the rule , where eth10.10 interface is not created.
> >> But will not allow to delete as the label maps to * by  if_nametoindex().
> >
> > This patch doesn't apply:
> >
> > patch -p1 < /tmp/anand.patch
> > patching file iptables/nft-shared.c
> > patch: **** malformed patch at line 6: *iface, int invflags)
> >
> > Please, no need to split things in that many chunks per file. One
> > single patch file to address one thing is just fine, the repository
> > has to remain in consistent state between patches.
> >
> > Thanks.
> 
> Merged all into a single patch.

I still think this still breaks -i eth+ matching, as there was special
handling for that case.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Anand Raj Manickam - Oct. 11, 2013, 10:07 a.m.
On Fri, Oct 11, 2013 at 3:20 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Oct 11, 2013 at 03:05:05PM +0530, Anand Raj Manickam wrote:
>> On Fri, Oct 11, 2013 at 1:45 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>> > On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote:
>> >> This patch fixes the issue where , the Rules are added for non
>> >> existent interface and unable to delete.
>> >> eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows
>> >> you to add the rule , where eth10.10 interface is not created.
>> >> But will not allow to delete as the label maps to * by  if_nametoindex().
>> >
>> > This patch doesn't apply:
>> >
>> > patch -p1 < /tmp/anand.patch
>> > patching file iptables/nft-shared.c
>> > patch: **** malformed patch at line 6: *iface, int invflags)
>> >
>> > Please, no need to split things in that many chunks per file. One
>> > single patch file to address one thing is just fine, the repository
>> > has to remain in consistent state between patches.
>> >
>> > Thanks.
>>
>> Merged all into a single patch.
>
> I still think this still breaks -i eth+ matching, as there was special
> handling for that case.

Can you share me the exact case ? It does NOT work on rules added before patch.

The patch looks good on my setup..
xtables -I INPUT -i eth+ -j ACCEPT

xtables -L INPUT -nv
Chain INPUT (policy ACCEPT 142K packets, 19M bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     all  --  eth+   *       0.0.0.0/0
0.0.0.0/0

# xtables -D INPUT -i eth+ -j ACCEPT
comparing with... -A INPUT -c        0        0 -i eth+ -j ACCEPT
DEBUG: rule: ip filter INPUT 29 0
  [ meta load iifname => reg 1 ]
  [ cmp eq reg 1 0x2b687465 ]
  [ counter pkts 0 bytes 0 ]
  [ immediate reg 0 1 ]
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira - Oct. 11, 2013, 11:03 a.m.
On Fri, Oct 11, 2013 at 03:37:34PM +0530, Anand Raj Manickam wrote:
> On Fri, Oct 11, 2013 at 3:20 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Fri, Oct 11, 2013 at 03:05:05PM +0530, Anand Raj Manickam wrote:
> >> On Fri, Oct 11, 2013 at 1:45 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >> > On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote:
> >> >> This patch fixes the issue where , the Rules are added for non
> >> >> existent interface and unable to delete.
> >> >> eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows
> >> >> you to add the rule , where eth10.10 interface is not created.
> >> >> But will not allow to delete as the label maps to * by  if_nametoindex().
> >> >
> >> > This patch doesn't apply:
> >> >
> >> > patch -p1 < /tmp/anand.patch
> >> > patching file iptables/nft-shared.c
> >> > patch: **** malformed patch at line 6: *iface, int invflags)
> >> >
> >> > Please, no need to split things in that many chunks per file. One
> >> > single patch file to address one thing is just fine, the repository
> >> > has to remain in consistent state between patches.
> >> >
> >> > Thanks.
> >>
> >> Merged all into a single patch.
> >
> > I still think this still breaks -i eth+ matching, as there was special
> > handling for that case.
> 
> Can you share me the exact case ? It does NOT work on rules added before patch.
> 
> The patch looks good on my setup..
> xtables -I INPUT -i eth+ -j ACCEPT
> 
> xtables -L INPUT -nv
> Chain INPUT (policy ACCEPT 142K packets, 19M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 ACCEPT     all  --  eth+   *       0.0.0.0/0
> 0.0.0.0/0
> 
> # xtables -D INPUT -i eth+ -j ACCEPT
> comparing with... -A INPUT -c        0        0 -i eth+ -j ACCEPT
> DEBUG: rule: ip filter INPUT 29 0
>   [ meta load iifname => reg 1 ]
>   [ cmp eq reg 1 0x2b687465 ]
>   [ counter pkts 0 bytes 0 ]
>   [ immediate reg 0 1 ]

I guess that seems to work by adding/removing rules, but packet
matching won't work since from the kernel side it will strictly
compare the string, eg. eth0 == eth+.

Note that eth+ means we want to match all interfaces starting by 'eth'
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 25cb177..407f650 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -145,13 +145,9 @@  void add_outiface(struct nft_rule *r, char
*iface, int invflags)
        else
                op = NFT_CMP_EQ;

-       if (iface[iface_len - 1] == '+') {
-               add_meta(r, NFT_META_OIFNAME);
-               add_cmp_ptr(r, op, iface, iface_len - 1);
-       } else {
-               add_meta(r, NFT_META_OIF);
-               add_cmp_u32(r, if_nametoindex(iface), op);
-       }
+       /*Removed NFT_META_OIF , will stick to NFT_META_OIFNAME as in
iptables */
+       add_meta(r, NFT_META_OIFNAME);
+       add_cmp_ptr(r, op, iface, iface_len);
 }