From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, Florian Westphal <fw@strlen.de>
Subject: [iptables PATCH] extensions: connlabel: Fallback on missing connlabel.conf
Date: Mon, 4 Mar 2019 16:53:46 +0100 [thread overview]
Message-ID: <20190304155346.29212-1-phil@nwl.cc> (raw)
In-Reply-To: <20190304150242.e66i4zj25jj2jt2q@breakpoint.cc>
If connlabel.conf was not found, fall back to manually parsing arguments
as plain numbers.
If nfct_labelmap_new() has failed, nfct_labelmap_get_name() segfaults.
Therefore make sure it is not called in connlabel_get_name() if that's
the case.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
This patch supersedes patches 3-5 of this series.
---
extensions/libxt_connlabel.c | 49 ++++++++++++++++++++++++-------
extensions/libxt_connlabel.t | 23 ++++-----------
extensions/libxt_connlabel.txlate | 8 ++---
3 files changed, 48 insertions(+), 32 deletions(-)
diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connlabel.c
index d06bb27a7c2e9..5a01fe7237bd8 100644
--- a/extensions/libxt_connlabel.c
+++ b/extensions/libxt_connlabel.c
@@ -1,8 +1,10 @@
+#define _GNU_SOURCE
#include <errno.h>
#include <stdbool.h>
#include <string.h>
#include <stdio.h>
#include <stdint.h>
+#include <stdlib.h>
#include <xtables.h>
#include <linux/netfilter/xt_connlabel.h>
#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
@@ -32,40 +34,59 @@ static const struct xt_option_entry connlabel_mt_opts[] = {
/* cannot do this via _init, else static builds might spew error message
* for every iptables invocation.
*/
-static void connlabel_open(void)
+static int connlabel_open(void)
{
const char *fname;
if (map)
- return;
+ return 0;
map = nfct_labelmap_new(NULL);
if (map != NULL)
- return;
+ return 0;
fname = nfct_labels_get_path();
if (errno) {
- xtables_error(RESOURCE_PROBLEM,
- "cannot open %s: %s", fname, strerror(errno));
+ fprintf(stderr, "Warning: cannot open %s: %s\n",
+ fname, strerror(errno));
} else {
xtables_error(RESOURCE_PROBLEM,
"cannot parse %s: no labels found", fname);
}
+ return 1;
+}
+
+static int connlabel_value_parse(const char *in)
+{
+ char *end;
+ unsigned long value = strtoul(in, &end, 0);
+
+ if (in[0] == '\0' || *end != '\0')
+ return -1;
+
+ return value;
}
static void connlabel_mt_parse(struct xt_option_call *cb)
{
struct xt_connlabel_mtinfo *info = cb->data;
+ bool have_labelmap = !connlabel_open();
int tmp;
- connlabel_open();
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_LABEL:
- tmp = nfct_labelmap_get_bit(map, cb->arg);
+ if (have_labelmap)
+ tmp = nfct_labelmap_get_bit(map, cb->arg);
+ else
+ tmp = connlabel_value_parse(cb->arg);
+
if (tmp < 0)
- xtables_error(PARAMETER_PROBLEM, "label '%s' not found", cb->arg);
+ xtables_error(PARAMETER_PROBLEM,
+ "label '%s' not found or invalid value",
+ cb->arg);
+
info->bit = tmp;
if (cb->invert)
info->options |= XT_CONNLABEL_OP_INVERT;
@@ -81,7 +102,8 @@ static const char *connlabel_get_name(int b)
{
const char *name;
- connlabel_open();
+ if (connlabel_open())
+ return NULL;
name = nfct_labelmap_get_name(map, b);
if (name && strcmp(name, ""))
@@ -134,9 +156,13 @@ static int connlabel_mt_xlate(struct xt_xlate *xl,
const struct xt_connlabel_mtinfo *info =
(const void *)params->match->data;
const char *name = connlabel_get_name(info->bit);
+ char *valbuf = NULL;
- if (name == NULL)
- return 0;
+ if (name == NULL) {
+ if (asprintf(&valbuf, "%u", info->bit) < 0)
+ return 0;
+ name = valbuf;
+ }
if (info->options & XT_CONNLABEL_OP_SET)
xt_xlate_add(xl, "ct label set %s ", name);
@@ -146,6 +172,7 @@ static int connlabel_mt_xlate(struct xt_xlate *xl,
xt_xlate_add(xl, "and %s != ", name);
xt_xlate_add(xl, "%s", name);
+ free(valbuf);
return 1;
}
diff --git a/extensions/libxt_connlabel.t b/extensions/libxt_connlabel.t
index aad1032b5a8bb..7265bd4764865 100644
--- a/extensions/libxt_connlabel.t
+++ b/extensions/libxt_connlabel.t
@@ -1,18 +1,7 @@
:INPUT,FORWARD,OUTPUT
-# Backup the connlabel.conf, then add some label maps for test
-@[ -f /etc/xtables/connlabel.conf ] && mv /etc/xtables/connlabel.conf /tmp/connlabel.conf.bak
-@mkdir -p /etc/xtables
-@echo "40 bit40" > /etc/xtables/connlabel.conf
-@echo "41 bit41" >> /etc/xtables/connlabel.conf
-@echo "128 bit128" >> /etc/xtables/connlabel.conf
--m connlabel --label "bit40";=;OK
--m connlabel ! --label "bit40";=;OK
--m connlabel --label "bit41" --set;=;OK
--m connlabel ! --label "bit41" --set;=;OK
--m connlabel --label "bit128";;FAIL
-@echo > /etc/xtables/connlabel.conf
--m connlabel --label "abc";;FAIL
-@rm -f /etc/xtables/connlabel.conf
--m connlabel --label "abc";;FAIL
-# Restore the original connlabel.conf
-@[ -f /tmp/connlabel.conf.bak ] && mv /tmp/connlabel.conf.bak /etc/xtables/connlabel.conf
+-m connlabel --label "40";=;OK
+-m connlabel ! --label "40";=;OK
+-m connlabel --label "41" --set;=;OK
+-m connlabel ! --label "41" --set;=;OK
+-m connlabel --label "2048";;FAIL
+-m connlabel --label "foobar_not_there";;FAIL
diff --git a/extensions/libxt_connlabel.txlate b/extensions/libxt_connlabel.txlate
index 5be422044637d..12e4ac0351103 100644
--- a/extensions/libxt_connlabel.txlate
+++ b/extensions/libxt_connlabel.txlate
@@ -1,5 +1,5 @@
-iptables-translate -A INPUT -m connlabel --label bit40
-nft add rule ip filter INPUT ct label bit40 counter
+iptables-translate -A INPUT -m connlabel --label 40
+nft add rule ip filter INPUT ct label 40 counter
-iptables-translate -A INPUT -m connlabel ! --label bit40 --set
-nft add rule ip filter INPUT ct label set bit40 ct label and bit40 != bit40 counter
+iptables-translate -A INPUT -m connlabel ! --label 40 --set
+nft add rule ip filter INPUT ct label set 40 ct label and 40 != 40 counter
--
2.20.1
next prev parent reply other threads:[~2019-03-04 15:53 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20190219193953.29066-1-phil@nwl.cc>
[not found] ` <20190219193953.29066-4-phil@nwl.cc>
2019-03-01 12:52 ` [iptables PATCH 3/5] extensions: connlabel: Allow connlabel.conf override Pablo Neira Ayuso
2019-03-01 18:08 ` Phil Sutter
[not found] ` <20190219193953.29066-6-phil@nwl.cc>
2019-03-03 21:03 ` [iptables PATCH 5/5] iptables-test: Make use of sample connlabel.conf Florian Westphal
2019-03-04 12:43 ` Phil Sutter
2019-03-04 13:07 ` Pablo Neira Ayuso
2019-03-04 14:59 ` Phil Sutter
2019-03-04 15:02 ` Florian Westphal
2019-03-04 15:53 ` Phil Sutter [this message]
2019-03-08 19:20 ` [iptables PATCH] extensions: connlabel: Fallback on missing connlabel.conf Florian Westphal
2019-03-08 18:12 ` [iptables PATCH 5/5] iptables-test: Make use of sample connlabel.conf Pablo Neira Ayuso
2019-03-09 10:51 ` [libnetfilter_conntrack PATCH] Rename 'qa' directory to 'tests' Phil Sutter
2019-03-09 10:56 ` [libnetfilter_conntrack PATCH v2] " Phil Sutter
2019-03-11 12:36 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190304155346.29212-1-phil@nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).