* [PATCH ebtables-nft] ebtables: fix over-eager -o checks on custom chains
@ 2019-09-10 21:10 Florian Westphal
2019-09-11 17:22 ` Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Florian Westphal @ 2019-09-10 21:10 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal, Arturo Borrero Gonzalez
Arturo reports ebtables-nft reports an error when -o is
used in custom chains:
-A MYCHAIN -o someif
makes ebtables-nft exit with an error:
"Use -o only in OUTPUT, FORWARD and POSTROUTING chains."
Problem is that all the "-o" checks expect <= NF_BR_POST_ROUTING
to mean "builtin", so -1 mistakenly leads to the checks being active.
Reported-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1347
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/xtables-eb.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 121ecbecd0b6..3b03daef28eb 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -197,7 +197,8 @@ int ebt_get_current_chain(const char *chain)
else if (strcmp(chain, "POSTROUTING") == 0)
return NF_BR_POST_ROUTING;
- return -1;
+ /* placeholder for user defined chain */
+ return NF_BR_NUMHOOKS;
}
/*
@@ -1223,7 +1224,7 @@ print_zero:
cs.eb.ethproto = htons(cs.eb.ethproto);
if (command == 'P') {
- if (selected_chain < 0) {
+ if (selected_chain >= NF_BR_NUMHOOKS) {
ret = ebt_set_user_chain_policy(h, *table, chain, policy);
} else {
if (strcmp(policy, "RETURN") == 0) {
--
2.21.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH ebtables-nft] ebtables: fix over-eager -o checks on custom chains
2019-09-10 21:10 [PATCH ebtables-nft] ebtables: fix over-eager -o checks on custom chains Florian Westphal
@ 2019-09-11 17:22 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-11 17:22 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel, Arturo Borrero Gonzalez
On Tue, Sep 10, 2019 at 11:10:59PM +0200, Florian Westphal wrote:
> Arturo reports ebtables-nft reports an error when -o is
> used in custom chains:
>
> -A MYCHAIN -o someif
> makes ebtables-nft exit with an error:
> "Use -o only in OUTPUT, FORWARD and POSTROUTING chains."
>
> Problem is that all the "-o" checks expect <= NF_BR_POST_ROUTING
> to mean "builtin", so -1 mistakenly leads to the checks being active.
LGTM.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-09-11 17:22 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-10 21:10 [PATCH ebtables-nft] ebtables: fix over-eager -o checks on custom chains Florian Westphal
2019-09-11 17:22 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).