From 5d2e24d37d56eef0570aca06b590079527678707 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Fri, 3 Nov 2023 17:33:22 +0100 Subject: [PATCH] arptables-nft: remove ARPT_INV flags usage ARPT_ and IPT_INV flags are not interchangeable, e.g.: define IPT_INV_SRCDEVADDR 0x0080 define ARPT_INV_SRCDEVADDR 0x0010 as these flags can be tested by libarp_foo.so such checks can yield incorrect results. Because arptables-nft uses existing code, e.g. xt_mark, it makes sense to unify this completely by converting the last users of ARPT_INV_ constants. Note that arptables-legacy does not do run-time module loading via dlopen(). Functionaliy implemented by "extensions" in the arptables-legacy git tree are built-in, so this doesn't break arptables-legacy binaries. Fixes: 44457c080590 ("xtables-arp: Don't use ARPT_INV_*") Signed-off-by: Florian Westphal Signed-off-by: Phil Sutter (cherry picked from commit 3493d40cbba9dbfc00018b419241c93646a97a68) --- extensions/libarpt_mangle.c | 4 ++-- iptables/nft-arp.c | 2 +- iptables/xshared.h | 4 +++- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/extensions/libarpt_mangle.c b/extensions/libarpt_mangle.c index 765edf34781f3..a846e97ec8f27 100644 --- a/extensions/libarpt_mangle.c +++ b/extensions/libarpt_mangle.c @@ -77,7 +77,7 @@ arpmangle_parse(int c, char **argv, int invert, unsigned int *flags, if (e->arp.arhln_mask == 0) xtables_error(PARAMETER_PROBLEM, "no --h-length defined"); - if (e->arp.invflags & ARPT_INV_ARPHLN) + if (e->arp.invflags & IPT_INV_ARPHLN) xtables_error(PARAMETER_PROBLEM, "! --h-length not allowed for " "--mangle-mac-s"); @@ -95,7 +95,7 @@ arpmangle_parse(int c, char **argv, int invert, unsigned int *flags, if (e->arp.arhln_mask == 0) xtables_error(PARAMETER_PROBLEM, "no --h-length defined"); - if (e->arp.invflags & ARPT_INV_ARPHLN) + if (e->arp.invflags & IPT_INV_ARPHLN) xtables_error(PARAMETER_PROBLEM, "! hln not allowed for --mangle-mac-d"); if (e->arp.arhln != 6) diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index aed39ebdd5166..535dd6b83237b 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -490,7 +490,7 @@ static void nft_arp_post_parse(int command, &args->d.naddrs); if ((args->s.naddrs > 1 || args->d.naddrs > 1) && - (cs->arp.arp.invflags & (ARPT_INV_SRCIP | ARPT_INV_TGTIP))) + (cs->arp.arp.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP))) xtables_error(PARAMETER_PROBLEM, "! not allowed with multiple" " source or destination IP addresses"); diff --git a/iptables/xshared.h b/iptables/xshared.h index a200e0d620ad3..5586385456a4d 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -80,7 +80,9 @@ struct xtables_target; #define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */ #define EBT_OPTSTRING OPTSTRING_COMMON "hv" -/* define invflags which won't collide with IPT ones */ +/* define invflags which won't collide with IPT ones. + * arptables-nft does NOT use the legacy ARPT_INV_* defines. + */ #define IPT_INV_SRCDEVADDR 0x0080 #define IPT_INV_TGTDEVADDR 0x0100 #define IPT_INV_ARPHLN 0x0200