Message ID | 20180828082626.25137-1-phil@nwl.cc |
---|---|
State | Changes Requested |
Delegated to: | Pablo Neira |
Headers | show |
Series | [iptables] xtables: Fix for deleting rules with comment | expand |
On Tuesday 2018-08-28 10:26, Phil Sutter wrote: >+++ b/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0 >@@ -0,0 +1,10 @@ >+#!/bin/sh >+ >+set -e >+ >+[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } [[ is not sh-compatible. Either #!/bin/bash or [
On Tue, Aug 28, 2018 at 10:54:58AM +0200, Jan Engelhardt wrote: > > On Tuesday 2018-08-28 10:26, Phil Sutter wrote: > >+++ b/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0 > >@@ -0,0 +1,10 @@ > >+#!/bin/sh > >+ > >+set -e > >+ > >+[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } > > [[ is not sh-compatible. Either #!/bin/bash or [ Oh, thanks! I'll send a v2.
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 4557f17d43630..c55c415f75e4c 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -664,7 +664,8 @@ void nft_rule_to_iptables_command_state(const struct nftnl_rule *r, } memcpy(&m->data, get_comment(data, len), len); - m->u.match_size = len + XT_ALIGN(sizeof(struct xt_entry_match)); + m->u.match_size = match->size + + XT_ALIGN(sizeof(struct xt_entry_match)); m->u.user.revision = 0; strcpy(m->u.user.name, match->name); diff --git a/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0 b/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0 new file mode 100755 index 0000000000000..6022f5dc6b64f --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0 @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + +for ipt in iptables ip6tables; do + $XT_MULTI $ipt -A INPUT -m comment --comment "foo bar" -j ACCEPT + $XT_MULTI $ipt -D INPUT -m comment --comment "foo bar" -j ACCEPT +done
Comment match allocation in command_match() and nft_rule_to_iptables_command_state() were misaligned in that the latter set match_size to just what is required instead of what the match needs at maximum like the further. This led to failure when comparing them later and therefore a rule with a comment could not be deleted. Signed-off-by: Phil Sutter <phil@nwl.cc> --- iptables/nft-shared.c | 3 ++- .../shell/testcases/nft-only/0003delete-with-comment_0 | 10 ++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100755 iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0