You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
82 lines
3.2 KiB
82 lines
3.2 KiB
3 weeks ago
|
From 5d2e24d37d56eef0570aca06b590079527678707 Mon Sep 17 00:00:00 2001
|
||
|
From: Florian Westphal <fw@strlen.de>
|
||
|
Date: Fri, 3 Nov 2023 17:33:22 +0100
|
||
|
Subject: [PATCH] arptables-nft: remove ARPT_INV flags usage
|
||
|
|
||
|
ARPT_ and IPT_INV flags are not interchangeable, e.g.:
|
||
|
define IPT_INV_SRCDEVADDR 0x0080
|
||
|
define ARPT_INV_SRCDEVADDR 0x0010
|
||
|
|
||
|
as these flags can be tested by libarp_foo.so such checks can yield
|
||
|
incorrect results.
|
||
|
|
||
|
Because arptables-nft uses existing code, e.g. xt_mark, it makes
|
||
|
sense to unify this completely by converting the last users of
|
||
|
ARPT_INV_ constants.
|
||
|
|
||
|
Note that arptables-legacy does not do run-time module loading via
|
||
|
dlopen(). Functionaliy implemented by "extensions" in the
|
||
|
arptables-legacy git tree are built-in, so this doesn't break
|
||
|
arptables-legacy binaries.
|
||
|
|
||
|
Fixes: 44457c080590 ("xtables-arp: Don't use ARPT_INV_*")
|
||
|
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||
|
(cherry picked from commit 3493d40cbba9dbfc00018b419241c93646a97a68)
|
||
|
---
|
||
|
extensions/libarpt_mangle.c | 4 ++--
|
||
|
iptables/nft-arp.c | 2 +-
|
||
|
iptables/xshared.h | 4 +++-
|
||
|
3 files changed, 6 insertions(+), 4 deletions(-)
|
||
|
|
||
|
diff --git a/extensions/libarpt_mangle.c b/extensions/libarpt_mangle.c
|
||
|
index 765edf34781f3..a846e97ec8f27 100644
|
||
|
--- a/extensions/libarpt_mangle.c
|
||
|
+++ b/extensions/libarpt_mangle.c
|
||
|
@@ -77,7 +77,7 @@ arpmangle_parse(int c, char **argv, int invert, unsigned int *flags,
|
||
|
if (e->arp.arhln_mask == 0)
|
||
|
xtables_error(PARAMETER_PROBLEM,
|
||
|
"no --h-length defined");
|
||
|
- if (e->arp.invflags & ARPT_INV_ARPHLN)
|
||
|
+ if (e->arp.invflags & IPT_INV_ARPHLN)
|
||
|
xtables_error(PARAMETER_PROBLEM,
|
||
|
"! --h-length not allowed for "
|
||
|
"--mangle-mac-s");
|
||
|
@@ -95,7 +95,7 @@ arpmangle_parse(int c, char **argv, int invert, unsigned int *flags,
|
||
|
if (e->arp.arhln_mask == 0)
|
||
|
xtables_error(PARAMETER_PROBLEM,
|
||
|
"no --h-length defined");
|
||
|
- if (e->arp.invflags & ARPT_INV_ARPHLN)
|
||
|
+ if (e->arp.invflags & IPT_INV_ARPHLN)
|
||
|
xtables_error(PARAMETER_PROBLEM,
|
||
|
"! hln not allowed for --mangle-mac-d");
|
||
|
if (e->arp.arhln != 6)
|
||
|
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
|
||
|
index aed39ebdd5166..535dd6b83237b 100644
|
||
|
--- a/iptables/nft-arp.c
|
||
|
+++ b/iptables/nft-arp.c
|
||
|
@@ -490,7 +490,7 @@ static void nft_arp_post_parse(int command,
|
||
|
&args->d.naddrs);
|
||
|
|
||
|
if ((args->s.naddrs > 1 || args->d.naddrs > 1) &&
|
||
|
- (cs->arp.arp.invflags & (ARPT_INV_SRCIP | ARPT_INV_TGTIP)))
|
||
|
+ (cs->arp.arp.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP)))
|
||
|
xtables_error(PARAMETER_PROBLEM,
|
||
|
"! not allowed with multiple"
|
||
|
" source or destination IP addresses");
|
||
|
diff --git a/iptables/xshared.h b/iptables/xshared.h
|
||
|
index a200e0d620ad3..5586385456a4d 100644
|
||
|
--- a/iptables/xshared.h
|
||
|
+++ b/iptables/xshared.h
|
||
|
@@ -80,7 +80,9 @@ struct xtables_target;
|
||
|
#define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */
|
||
|
#define EBT_OPTSTRING OPTSTRING_COMMON "hv"
|
||
|
|
||
|
-/* define invflags which won't collide with IPT ones */
|
||
|
+/* define invflags which won't collide with IPT ones.
|
||
|
+ * arptables-nft does NOT use the legacy ARPT_INV_* defines.
|
||
|
+ */
|
||
|
#define IPT_INV_SRCDEVADDR 0x0080
|
||
|
#define IPT_INV_TGTDEVADDR 0x0100
|
||
|
#define IPT_INV_ARPHLN 0x0200
|