[iptables,0/7] Small ebtables-translate review + extras

Message ID	20230126122406.23288-1-phil@nwl.cc
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Phil Sutter <phil@nwl.cc> To: netfilter-devel@vger.kernel.org Subject: [iptables PATCH 0/7] Small ebtables-translate review + extras Date: Thu, 26 Jan 2023 13:23:59 +0100 Message-Id: <20230126122406.23288-1-phil@nwl.cc> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Small ebtables-translate review + extras \| expand [iptables,0/7] Small ebtables-translate review + extras [iptables,1/7] Proper fix for "unknown argument" error message [iptables,2/7] ebtables: Refuse unselected targets' options [iptables,3/7] ebtables-translate: Drop exec_style [iptables,4/7] ebtables-translate: Use OPT_* from xshared.h [iptables,5/7] ebtables-translate: Ignore '-j CONTINUE' [iptables,6/7] ebtables-translate: Print flush command after parsing is finished [iptables,7/7] tests: xlate: Support testing multiple individual files

Message ID

20230126122406.23288-1-phil@nwl.cc

Headers

From: Phil Sutter <phil@nwl.cc>
To: netfilter-devel@vger.kernel.org
Subject: [iptables PATCH 0/7] Small ebtables-translate review + extras
Date: Thu, 26 Jan 2023 13:23:59 +0100
Message-Id: <20230126122406.23288-1-phil@nwl.cc>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Small ebtables-translate review + extras | expand

Message

Phil Sutter Jan. 26, 2023, 12:23 p.m. UTC

The initial goal was to fix the apparent problem of ebtables-translate
printing 'counter' statement in wrong position, namely after the
verdict. Turns out this happened when targets were used "implicitly",
i.e. without requesting them via '-j'. Since ebtables-nft loaded all
extensions (including targets) upfront, a syntax like:

| # ebtables-nft -A FORWARD --mark-set 1

was accepted and valid. The 'mark' target in this case was added to
iptables_command_state's 'match_list' as if it was a watcher.

Legacy ebtables does not allow this syntax, also it becomes hard for
users to realize why two targets can't be used in the same rule. So
reject this (in patch 2) and implicitly fix the case of 'counter'
statement in wrong position.

Fixing the above caused some fallout: Patch 1 fixes error reporting of
unknown arguments (or missing mandatory parameters) in all tools, patch
7 extends xlate-test.py to conveniently run for all libebt_*.txlate
files (for instance).

The remaining patches 3 to 6 contain cleanups of xtables-eb-translate.c
in comparison to xtables-eb.c, also kind of preparing for a merge of the
two largely identical parsers (at least).

Phil Sutter (7):
  Proper fix for "unknown argument" error message
  ebtables: Refuse unselected targets' options
  ebtables-translate: Drop exec_style
  ebtables-translate: Use OPT_* from xshared.h
  ebtables-translate: Ignore '-j CONTINUE'
  ebtables-translate: Print flush command after parsing is finished
  tests: xlate: Support testing multiple individual files

 extensions/libebt_dnat.txlate                 | 12 ++--
 extensions/libebt_log.c                       |  1 +
 extensions/libebt_mark.txlate                 | 16 ++---
 extensions/libebt_nflog.c                     |  1 +
 extensions/libebt_snat.txlate                 |  8 +--
 include/xtables.h                             |  1 +
 .../ebtables/0002-ebtables-save-restore_0     |  4 +-
 .../testcases/iptables/0009-unknown-arg_0     | 31 ++++++++++
 iptables/xshared.c                            |  9 ++-
 iptables/xtables-eb-translate.c               | 61 +++++++------------
 iptables/xtables-eb.c                         | 46 +++++++-------
 xlate-test.py                                 | 21 ++++---
 12 files changed, 115 insertions(+), 96 deletions(-)
 create mode 100755 iptables/tests/shell/testcases/iptables/0009-unknown-arg_0

Comments

Phil Sutter Jan. 31, 2023, 3:30 p.m. UTC | #1

On Thu, Jan 26, 2023 at 01:23:59PM +0100, Phil Sutter wrote:
> The initial goal was to fix the apparent problem of ebtables-translate
> printing 'counter' statement in wrong position, namely after the
> verdict. Turns out this happened when targets were used "implicitly",
> i.e. without requesting them via '-j'. Since ebtables-nft loaded all
> extensions (including targets) upfront, a syntax like:
> 
> | # ebtables-nft -A FORWARD --mark-set 1
> 
> was accepted and valid. The 'mark' target in this case was added to
> iptables_command_state's 'match_list' as if it was a watcher.
> 
> Legacy ebtables does not allow this syntax, also it becomes hard for
> users to realize why two targets can't be used in the same rule. So
> reject this (in patch 2) and implicitly fix the case of 'counter'
> statement in wrong position.
> 
> Fixing the above caused some fallout: Patch 1 fixes error reporting of
> unknown arguments (or missing mandatory parameters) in all tools, patch
> 7 extends xlate-test.py to conveniently run for all libebt_*.txlate
> files (for instance).
> 
> The remaining patches 3 to 6 contain cleanups of xtables-eb-translate.c
> in comparison to xtables-eb.c, also kind of preparing for a merge of the
> two largely identical parsers (at least).
> 
> Phil Sutter (7):
>   Proper fix for "unknown argument" error message
>   ebtables: Refuse unselected targets' options
>   ebtables-translate: Drop exec_style
>   ebtables-translate: Use OPT_* from xshared.h
>   ebtables-translate: Ignore '-j CONTINUE'
>   ebtables-translate: Print flush command after parsing is finished
>   tests: xlate: Support testing multiple individual files

Series applied.