From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: [iptables PATCH 0/4] nft: Fix and improve base chain handling
Date: Wed, 22 Sep 2021 18:06:28 +0200 [thread overview]
Message-ID: <20210922160632.15635-1-phil@nwl.cc> (raw)
This is a combined series of fixes and improvements:
* Patch 1 fixes a double free happening if the ruleset contains more
than one base-chains for a given hook.
* Patch 2 improves iptables-nft behaviour in above case, allowing to
continue even if there is a base chain which doesn't fit. Since
iptables-nft doesn't fetch the full ruleset from kernel in all cases
anymore, it is prone to miss offending ruleset parts, anyway.
* Patch 4 tries to avoid the negative side-effects that came with
Florian's patch allowing to delete base-chains.
* Patch 3 adds a bit of convenience used by patch 4.
Phil Sutter (4):
nft: cache: Avoid double free of unrecognized base-chains
nft: Check base-chain compatibility when adding to cache
nft-chain: Introduce base_slot field
nft: Delete builtin chains compatibly
iptables/nft-cache.c | 52 +++++---
iptables/nft-chain.h | 1 +
iptables/nft-cmd.c | 2 +-
iptables/nft.c | 112 +++++++-----------
iptables/nft.h | 2 +
.../shell/testcases/chain/0004extra-base_0 | 37 ++++++
.../shell/testcases/chain/0005base-delete_0 | 34 ++++++
iptables/xtables-save.c | 3 +
8 files changed, 161 insertions(+), 82 deletions(-)
create mode 100755 iptables/tests/shell/testcases/chain/0004extra-base_0
create mode 100755 iptables/tests/shell/testcases/chain/0005base-delete_0
--
2.33.0
next reply other threads:[~2021-09-22 16:06 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-22 16:06 Phil Sutter [this message]
2021-09-22 16:06 ` [iptables PATCH 1/4] nft: cache: Avoid double free of unrecognized base-chains Phil Sutter
2021-09-22 16:06 ` [iptables PATCH 2/4] nft: Check base-chain compatibility when adding to cache Phil Sutter
2021-09-22 16:06 ` [iptables PATCH 3/4] nft-chain: Introduce base_slot field Phil Sutter
2021-09-22 16:06 ` [iptables PATCH 4/4] nft: Delete builtin chains compatibly Phil Sutter
2021-09-27 7:32 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210922160632.15635-1-phil@nwl.cc \
--to=phil@nwl.cc \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.