| Message ID | 20141124095149.17111.54015.stgit@nfdev.cica.es |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
On Mon, Nov 24, 2014 at 10:52:04AM +0100, Arturo Borrero Gonzalez wrote: > The RETURN default policy is mandatory in user-defined chains. > Builtin chains must have one of ACCEPT or DROP. > > So, with this patch, ebtables-compat ends with: > > Command: Result: > > -L Always RETURN for user-defined chains > -P builtin RETURN Policy RETURN only allowed for user defined chains > -P builtin ACCEPT|DROP ok > -P userdefined RETURN Default policy in user-defined chains is mandatory RETURN > -P userdefined ACCEPT|DROP Default policy in user-defined chains is mandatory RETURN > -N userdefined ok > -N userdefined -P RETURN Default policy in user-defined chains is mandatory RETURN > -N userdefined -P ACCEPT|DROP Default policy in user-defined chains is mandatory RETURN > > Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> > --- > v2: change some error messages, as requested by Pablo. > > iptables/nft-bridge.c | 3 ++- > iptables/xtables-eb.c | 9 ++++++++- > 2 files changed, 10 insertions(+), 2 deletions(-) > > diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c > index b5aec00..a1bd906 100644 > --- a/iptables/nft-bridge.c > +++ b/iptables/nft-bridge.c > @@ -356,7 +356,8 @@ static void nft_bridge_print_header(unsigned int format, const char *chain, > const struct xt_counters *counters, > bool basechain, uint32_t refs) > { > - printf("Bridge chain: %s, entries: %u, policy: %s\n", chain, refs, pol); > + printf("Bridge chain: %s, entries: %u, policy: %s\n", > + chain, refs, basechain ? pol : "RETURN"); > } > > static void nft_bridge_print_firewall(struct nft_rule *r, unsigned int num, > diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c > index 917bca2..e462dbf 100644 > --- a/iptables/xtables-eb.c > +++ b/iptables/xtables-eb.c > @@ -616,6 +616,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table) > case 'E': /* Rename chain */ > case 'X': /* Delete chain */ > /* We allow -N chainname -P policy */ > + /* XXX: Not in ebtables-compat */ > if (command == 'N' && c == 'P') { > command = c; > optind--; /* No table specified */ > @@ -1146,9 +1147,15 @@ check_extension: */ > cs.fw.ethproto = htons(cs.fw.ethproto); > > if (command == 'P') { > - if (selected_chain < NF_BR_NUMHOOKS && strcmp(policy, "RETURN")==0) > + if (selected_chain < 0) { > + xtables_error(PARAMETER_PROBLEM, > + "Default policy in user-defined" > + " chains is mandatory RETURN"); The intended error should something like: ... , "Policy %s only allowed from base chains", policy); right? I can mangle the patch here. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 24 November 2014 at 12:12, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Mon, Nov 24, 2014 at 10:52:04AM +0100, Arturo Borrero Gonzalez wrote: >> The RETURN default policy is mandatory in user-defined chains. >> Builtin chains must have one of ACCEPT or DROP. >> >> So, with this patch, ebtables-compat ends with: >> >> Command: Result: >> >> -L Always RETURN for user-defined chains >> -P builtin RETURN Policy RETURN only allowed for user defined chains >> -P builtin ACCEPT|DROP ok >> -P userdefined RETURN Default policy in user-defined chains is mandatory RETURN >> -P userdefined ACCEPT|DROP Default policy in user-defined chains is mandatory RETURN >> -N userdefined ok >> -N userdefined -P RETURN Default policy in user-defined chains is mandatory RETURN >> -N userdefined -P ACCEPT|DROP Default policy in user-defined chains is mandatory RETURN >> >> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> >> --- >> v2: change some error messages, as requested by Pablo. >> >> iptables/nft-bridge.c | 3 ++- >> iptables/xtables-eb.c | 9 ++++++++- >> 2 files changed, 10 insertions(+), 2 deletions(-) >> >> diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c >> index b5aec00..a1bd906 100644 >> --- a/iptables/nft-bridge.c >> +++ b/iptables/nft-bridge.c >> @@ -356,7 +356,8 @@ static void nft_bridge_print_header(unsigned int format, const char *chain, >> const struct xt_counters *counters, >> bool basechain, uint32_t refs) >> { >> - printf("Bridge chain: %s, entries: %u, policy: %s\n", chain, refs, pol); >> + printf("Bridge chain: %s, entries: %u, policy: %s\n", >> + chain, refs, basechain ? pol : "RETURN"); >> } >> >> static void nft_bridge_print_firewall(struct nft_rule *r, unsigned int num, >> diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c >> index 917bca2..e462dbf 100644 >> --- a/iptables/xtables-eb.c >> +++ b/iptables/xtables-eb.c >> @@ -616,6 +616,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table) >> case 'E': /* Rename chain */ >> case 'X': /* Delete chain */ >> /* We allow -N chainname -P policy */ >> + /* XXX: Not in ebtables-compat */ >> if (command == 'N' && c == 'P') { >> command = c; >> optind--; /* No table specified */ >> @@ -1146,9 +1147,15 @@ check_extension: */ >> cs.fw.ethproto = htons(cs.fw.ethproto); >> >> if (command == 'P') { >> - if (selected_chain < NF_BR_NUMHOOKS && strcmp(policy, "RETURN")==0) >> + if (selected_chain < 0) { >> + xtables_error(PARAMETER_PROBLEM, >> + "Default policy in user-defined" >> + " chains is mandatory RETURN"); > > The intended error should something like: > > ... , "Policy %s only allowed from base chains", policy); > > right? I can mangle the patch here. Thanks. Ok, thanks.
On Mon, Nov 24, 2014 at 01:12:33PM +0100, Arturo Borrero Gonzalez wrote: > On 24 November 2014 at 12:12, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > >> --- a/iptables/xtables-eb.c > >> +++ b/iptables/xtables-eb.c > >> @@ -616,6 +616,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table) > >> case 'E': /* Rename chain */ > >> case 'X': /* Delete chain */ > >> /* We allow -N chainname -P policy */ > >> + /* XXX: Not in ebtables-compat */ > >> if (command == 'N' && c == 'P') { > >> command = c; > >> optind--; /* No table specified */ > >> @@ -1146,9 +1147,15 @@ check_extension: */ > >> cs.fw.ethproto = htons(cs.fw.ethproto); > >> > >> if (command == 'P') { > >> - if (selected_chain < NF_BR_NUMHOOKS && strcmp(policy, "RETURN")==0) > >> + if (selected_chain < 0) { > >> + xtables_error(PARAMETER_PROBLEM, > >> + "Default policy in user-defined" > >> + " chains is mandatory RETURN"); > > > > The intended error should something like: > > > > ... , "Policy %s only allowed from base chains", policy); > > > > right? I can mangle the patch here. Thanks. > > Ok, thanks. Applied, thanks. I have used "Policy XYZ not allowed for user defined chains" so we basically disable policies from user-defined chains in ebtables-compat. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index b5aec00..a1bd906 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -356,7 +356,8 @@ static void nft_bridge_print_header(unsigned int format, const char *chain, const struct xt_counters *counters, bool basechain, uint32_t refs) { - printf("Bridge chain: %s, entries: %u, policy: %s\n", chain, refs, pol); + printf("Bridge chain: %s, entries: %u, policy: %s\n", + chain, refs, basechain ? pol : "RETURN"); } static void nft_bridge_print_firewall(struct nft_rule *r, unsigned int num, diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index 917bca2..e462dbf 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -616,6 +616,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table) case 'E': /* Rename chain */ case 'X': /* Delete chain */ /* We allow -N chainname -P policy */ + /* XXX: Not in ebtables-compat */ if (command == 'N' && c == 'P') { command = c; optind--; /* No table specified */ @@ -1146,9 +1147,15 @@ check_extension: */ cs.fw.ethproto = htons(cs.fw.ethproto); if (command == 'P') { - if (selected_chain < NF_BR_NUMHOOKS && strcmp(policy, "RETURN")==0) + if (selected_chain < 0) { + xtables_error(PARAMETER_PROBLEM, + "Default policy in user-defined" + " chains is mandatory RETURN"); + } + if (strcmp(policy, "RETURN") == 0) { xtables_error(PARAMETER_PROBLEM, "Policy RETURN only allowed for user defined chains"); + } ret = nft_chain_set(h, *table, chain, policy, NULL); if (ret < 0) xtables_error(PARAMETER_PROBLEM, "Wrong policy");
The RETURN default policy is mandatory in user-defined chains. Builtin chains must have one of ACCEPT or DROP. So, with this patch, ebtables-compat ends with: Command: Result: -L Always RETURN for user-defined chains -P builtin RETURN Policy RETURN only allowed for user defined chains -P builtin ACCEPT|DROP ok -P userdefined RETURN Default policy in user-defined chains is mandatory RETURN -P userdefined ACCEPT|DROP Default policy in user-defined chains is mandatory RETURN -N userdefined ok -N userdefined -P RETURN Default policy in user-defined chains is mandatory RETURN -N userdefined -P ACCEPT|DROP Default policy in user-defined chains is mandatory RETURN Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> --- v2: change some error messages, as requested by Pablo. iptables/nft-bridge.c | 3 ++- iptables/xtables-eb.c | 9 ++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html