* [iptables PATCH] connlabel: Allow numeric labels even if connlabel.conf exists
@ 2020-03-04 2:24 Phil Sutter
2020-03-04 8:16 ` Florian Westphal
0 siblings, 1 reply; 3+ messages in thread
From: Phil Sutter @ 2020-03-04 2:24 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Existing code is a bit quirky: If no connlabel.conf was found, the local
function connlabel_value_parse() is called which tries to interpret
given label as a number. If the config exists though,
nfct_labelmap_get_bit() is called instead which doesn't care about
"undefined" connlabel names. So unless installed connlabel.conf contains
entries for all possible numeric labels, rules added by users may stop
working if a connlabel.conf is created. Fix this by falling back to
connlabel_value_parse() function also if connlabel_open() returned 0 but
nfct_labelmap_get_bit() returned an error.
Fixes: 3a3bb480a738a ("extensions: connlabel: Fallback on missing connlabel.conf")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
extensions/libxt_connlabel.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connlabel.c
index 5a01fe7237bd8..1fc92f42cd969 100644
--- a/extensions/libxt_connlabel.c
+++ b/extensions/libxt_connlabel.c
@@ -71,7 +71,7 @@ static void connlabel_mt_parse(struct xt_option_call *cb)
{
struct xt_connlabel_mtinfo *info = cb->data;
bool have_labelmap = !connlabel_open();
- int tmp;
+ int tmp = -1;
xtables_option_parse(cb);
@@ -79,7 +79,7 @@ static void connlabel_mt_parse(struct xt_option_call *cb)
case O_LABEL:
if (have_labelmap)
tmp = nfct_labelmap_get_bit(map, cb->arg);
- else
+ if (tmp < 0)
tmp = connlabel_value_parse(cb->arg);
if (tmp < 0)
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [iptables PATCH] connlabel: Allow numeric labels even if connlabel.conf exists
2020-03-04 2:24 [iptables PATCH] connlabel: Allow numeric labels even if connlabel.conf exists Phil Sutter
@ 2020-03-04 8:16 ` Florian Westphal
2020-03-04 9:40 ` Phil Sutter
0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2020-03-04 8:16 UTC (permalink / raw)
To: Phil Sutter; +Cc: Pablo Neira Ayuso, netfilter-devel
Phil Sutter <phil@nwl.cc> wrote:
> Existing code is a bit quirky: If no connlabel.conf was found, the local
> function connlabel_value_parse() is called which tries to interpret
> given label as a number. If the config exists though,
> nfct_labelmap_get_bit() is called instead which doesn't care about
> "undefined" connlabel names. So unless installed connlabel.conf contains
> entries for all possible numeric labels, rules added by users may stop
> working if a connlabel.conf is created. Fix this by falling back to
> connlabel_value_parse() function also if connlabel_open() returned 0 but
> nfct_labelmap_get_bit() returned an error.
Acked-by: Florian Westphal <fw@strlen.de>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [iptables PATCH] connlabel: Allow numeric labels even if connlabel.conf exists
2020-03-04 8:16 ` Florian Westphal
@ 2020-03-04 9:40 ` Phil Sutter
0 siblings, 0 replies; 3+ messages in thread
From: Phil Sutter @ 2020-03-04 9:40 UTC (permalink / raw)
To: Florian Westphal; +Cc: Pablo Neira Ayuso, netfilter-devel
Hi,
On Wed, Mar 04, 2020 at 09:16:51AM +0100, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > Existing code is a bit quirky: If no connlabel.conf was found, the local
> > function connlabel_value_parse() is called which tries to interpret
> > given label as a number. If the config exists though,
> > nfct_labelmap_get_bit() is called instead which doesn't care about
> > "undefined" connlabel names. So unless installed connlabel.conf contains
> > entries for all possible numeric labels, rules added by users may stop
> > working if a connlabel.conf is created. Fix this by falling back to
> > connlabel_value_parse() function also if connlabel_open() returned 0 but
> > nfct_labelmap_get_bit() returned an error.
>
> Acked-by: Florian Westphal <fw@strlen.de>
When checking whether documentation needs an update, I stumbled upon the
following sentences:
"Instead of a name (which will be translated to a number, see EXAMPLE
below), a number may be used instead. Using a number always overrides
connlabel.conf."
So actually I should change the code to try numeric parsing first and
only then fall back to nfct_labelmap_get_bit(). Commit 51340f7b6a110
("extensions: libxt_connlabel: use libnetfilter_conntrack") broke this
in 2013. I'll send a v2.
Thanks, Phil
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-03-04 9:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-04 2:24 [iptables PATCH] connlabel: Allow numeric labels even if connlabel.conf exists Phil Sutter
2020-03-04 8:16 ` Florian Westphal
2020-03-04 9:40 ` Phil Sutter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.