[iptables] xtables: Fix for deleting rules with comment

Message ID	20180828082626.25137-1-phil@nwl.cc
State	Changes Requested
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Phil Sutter <phil@nwl.cc> To: Pablo Neira Ayuso <pablo@netfilter.org> Cc: netfilter-devel@vger.kernel.org Subject: [iptables PATCH] xtables: Fix for deleting rules with comment Date: Tue, 28 Aug 2018 10:26:26 +0200 Message-Id: <20180828082626.25137-1-phil@nwl.cc> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk
Series	[iptables] xtables: Fix for deleting rules with comment \| expand [iptables] xtables: Fix for deleting rules with comment

Message ID

20180828082626.25137-1-phil@nwl.cc

State

Changes Requested

Delegated to:

Pablo Neira

Headers

From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: [iptables PATCH] xtables: Fix for deleting rules with comment
Date: Tue, 28 Aug 2018 10:26:26 +0200
Message-Id: <20180828082626.25137-1-phil@nwl.cc>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Series

[iptables] xtables: Fix for deleting rules with comment | expand

Commit Message

Phil Sutter Aug. 28, 2018, 8:26 a.m. UTC

Comment match allocation in command_match() and
nft_rule_to_iptables_command_state() were misaligned in that the latter
set match_size to just what is required instead of what the match needs
at maximum like the further. This led to failure when comparing them
later and therefore a rule with a comment could not be deleted.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/nft-shared.c                                  |  3 ++-
 .../shell/testcases/nft-only/0003delete-with-comment_0 | 10 ++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100755 iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0

Comments

Jan Engelhardt Aug. 28, 2018, 8:54 a.m. UTC | #1

On Tuesday 2018-08-28 10:26, Phil Sutter wrote:
>+++ b/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0
>@@ -0,0 +1,10 @@
>+#!/bin/sh
>+
>+set -e
>+
>+[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }

[[ is not sh-compatible. Either #!/bin/bash or [

Phil Sutter Aug. 28, 2018, 9:02 a.m. UTC | #2

On Tue, Aug 28, 2018 at 10:54:58AM +0200, Jan Engelhardt wrote:
> 
> On Tuesday 2018-08-28 10:26, Phil Sutter wrote:
> >+++ b/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0
> >@@ -0,0 +1,10 @@
> >+#!/bin/sh
> >+
> >+set -e
> >+
> >+[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
> 
> [[ is not sh-compatible. Either #!/bin/bash or [

Oh, thanks! I'll send a v2.

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 4557f17d43630..c55c415f75e4c 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -664,7 +664,8 @@  void nft_rule_to_iptables_command_state(const struct nftnl_rule *r,
 		}
 
 		memcpy(&m->data, get_comment(data, len), len);
-		m->u.match_size = len + XT_ALIGN(sizeof(struct xt_entry_match));
+		m->u.match_size = match->size +
+			XT_ALIGN(sizeof(struct xt_entry_match));
 		m->u.user.revision = 0;
 		strcpy(m->u.user.name, match->name);
 
diff --git a/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0 b/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0
new file mode 100755
index 0000000000000..6022f5dc6b64f
--- /dev/null
+++ b/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0
@@ -0,0 +1,10 @@ 
+#!/bin/sh
+
+set -e
+
+[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+
+for ipt in iptables ip6tables; do
+	$XT_MULTI $ipt -A INPUT -m comment --comment "foo bar" -j ACCEPT
+	$XT_MULTI $ipt -D INPUT -m comment --comment "foo bar" -j ACCEPT
+done

[iptables] xtables: Fix for deleting rules with comment

Commit Message

Comments

Patch