ebtables: Allow RETURN target rules in user defined chains

Message ID	5628F57F.1010504@gmail.com
State	Accepted
Delegated to:	Florian Westphal
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> Message-ID: <5628F57F.1010504@gmail.com> Date: Thu, 22 Oct 2015 16:41:03 +0200 From: Alin Nastac <alin.nastac@gmail.com> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110419 Red Hat/3.1.10-1.el6_0 Thunderbird/3.1.10 MIME-Version: 1.0 To: netfilter-devel@vger.kernel.org Subject: [PATCH] ebtables: Allow RETURN target rules in user defined chains Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk

Message ID

5628F57F.1010504@gmail.com

State

Accepted

Delegated to:

Florian Westphal

Headers

Message-ID: <5628F57F.1010504@gmail.com>
Date: Thu, 22 Oct 2015 16:41:03 +0200
From: Alin Nastac <alin.nastac@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
	rv:1.9.2.17) Gecko/20110419 Red Hat/3.1.10-1.el6_0
	Thunderbird/3.1.10
MIME-Version: 1.0
To: netfilter-devel@vger.kernel.org
Subject: [PATCH] ebtables: Allow RETURN target rules in user defined chains
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Commit Message

Alin Năstac Oct. 22, 2015, 2:41 p.m. UTC

ebtables has a bug that prevents creation of rules with RETURN target, any attempt will result in an
    RETURN not allowed on base chain
error even if the chain where you want to create the rule is a user defined chain.

Reproduction scenario:
    root@OpenWrt:~# ebtables -N foo
    root@OpenWrt:~# ebtables -A OUTPUT -j foo
    root@OpenWrt:~# ebtables -A foo -j mark --mark-or 3 --mark-target RETURN
    --mark-target RETURN not allowed on base chain.

My email client will probably replace tabs in the patch below, but it is a one-liner patch after all, easy to spot the actual 
change.


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Florian Westphal Oct. 28, 2015, 1:01 a.m. UTC | #1

Alin Nastac <alin.nastac@gmail.com> wrote:
> ebtables has a bug that prevents creation of rules with RETURN target, any attempt will result in an
>    RETURN not allowed on base chain
> error even if the chain where you want to create the rule is a user defined chain.
> 
> Reproduction scenario:
>    root@OpenWrt:~# ebtables -N foo
>    root@OpenWrt:~# ebtables -A OUTPUT -j foo
>    root@OpenWrt:~# ebtables -A foo -j mark --mark-or 3 --mark-target RETURN
>    --mark-target RETURN not allowed on base chain.
> 
> My email client will probably replace tabs in the patch below, but

Yes, I applied this manually (with minor edits to commit message).

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Pablo Neira Ayuso Oct. 28, 2015, 2:46 a.m. UTC | #2

On Wed, Oct 28, 2015 at 02:01:55AM +0100, Florian Westphal wrote:
> Alin Nastac <alin.nastac@gmail.com> wrote:
> > ebtables has a bug that prevents creation of rules with RETURN target, any attempt will result in an
> >    RETURN not allowed on base chain
> > error even if the chain where you want to create the rule is a user defined chain.
> > 
> > Reproduction scenario:
> >    root@OpenWrt:~# ebtables -N foo
> >    root@OpenWrt:~# ebtables -A OUTPUT -j foo
> >    root@OpenWrt:~# ebtables -A foo -j mark --mark-or 3 --mark-target RETURN
> >    --mark-target RETURN not allowed on base chain.
> > 
> > My email client will probably replace tabs in the patch below, but
> 
> Yes, I applied this manually (with minor edits to commit message).

Thanks, I wonder since then this has been broken BTW.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Pablo Neira Ayuso Oct. 28, 2015, 2:46 a.m. UTC | #3

On Wed, Oct 28, 2015 at 03:46:00AM +0100, Pablo Neira Ayuso wrote:
> On Wed, Oct 28, 2015 at 02:01:55AM +0100, Florian Westphal wrote:
> > Alin Nastac <alin.nastac@gmail.com> wrote:
> > > ebtables has a bug that prevents creation of rules with RETURN target, any attempt will result in an
> > >    RETURN not allowed on base chain
> > > error even if the chain where you want to create the rule is a user defined chain.
> > > 
> > > Reproduction scenario:
> > >    root@OpenWrt:~# ebtables -N foo
> > >    root@OpenWrt:~# ebtables -A OUTPUT -j foo
> > >    root@OpenWrt:~# ebtables -A foo -j mark --mark-or 3 --mark-target RETURN
> > >    --mark-target RETURN not allowed on base chain.
> > > 
> > > My email client will probably replace tabs in the patch below, but
> > 
> > Yes, I applied this manually (with minor edits to commit message).
> 
> Thanks, I wonder since then this has been broken BTW.

s/then/when/
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Florian Westphal Oct. 28, 2015, 1:31 p.m. UTC | #4

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Wed, Oct 28, 2015 at 03:46:00AM +0100, Pablo Neira Ayuso wrote:
> > On Wed, Oct 28, 2015 at 02:01:55AM +0100, Florian Westphal wrote:
> > > Alin Nastac <alin.nastac@gmail.com> wrote:
> > > > ebtables has a bug that prevents creation of rules with RETURN target, any attempt will result in an
> > > >    RETURN not allowed on base chain
> > > > error even if the chain where you want to create the rule is a user defined chain.
> > > > 
> > > > Reproduction scenario:
> > > >    root@OpenWrt:~# ebtables -N foo
> > > >    root@OpenWrt:~# ebtables -A OUTPUT -j foo
> > > >    root@OpenWrt:~# ebtables -A foo -j mark --mark-or 3 --mark-target RETURN
> > > >    --mark-target RETURN not allowed on base chain.
> > > > 
> > > > My email client will probably replace tabs in the patch below, but
> > > 
> > > Yes, I applied this manually (with minor edits to commit message).
> > 
> > Thanks, I wonder since then this has been broken BTW.
> 
> s/then/when/

Seems it never worked.

I hacked 'allow checking for --xxxx--target RETURN rules on base chains'
commit from 2002 to build and it rejects RETURN unconditionally.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/libebtc.c b/libebtc.c
--- a/libebtc.c
+++ b/libebtc.c
@@ -1102,7 +1102,7 @@  void ebt_check_for_loops(struct ebt_u_replace *replace)
                         /* check if we've dealt with this chain already */
                         if (entries2->hook_mask & (1<<i))
                                 goto letscontinue;
-                       entries2->hook_mask |= entries->hook_mask;
+                       entries2->hook_mask |= entries->hook_mask & ~(1 << NF_BR_NUMHOOKS);
                         /* Jump to the chain, make sure we know how to get back */
                         stack[sp].chain_nr = chain_nr;
                         stack[sp].n = j;

ebtables: Allow RETURN target rules in user defined chains

Commit Message

Comments

Patch