You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
87 lines
2.7 KiB
87 lines
2.7 KiB
From 2fb92babbf460de158cc435f66c46f0642763193 Mon Sep 17 00:00:00 2001
|
|
From: Phil Sutter <phil@nwl.cc>
|
|
Date: Fri, 4 Mar 2022 12:50:01 +0100
|
|
Subject: [PATCH] libxtables: Boost rule target checks by announcing chain
|
|
names
|
|
|
|
When restoring a ruleset, feed libxtables with chain names from
|
|
respective lines to avoid an extension search.
|
|
|
|
While the user's intention is clear, this effectively disables the
|
|
sanity check for clashes with target extensions. But:
|
|
|
|
* The check yielded only a warning and the clashing chain was finally
|
|
accepted.
|
|
|
|
* Users crafting iptables dumps for feeding into iptables-restore likely
|
|
know what they're doing.
|
|
|
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
Acked-by: Florian Westphal <fw@strlen.de>
|
|
(cherry picked from commit ac4c84cc63d3cc021ca532692885a644fcde4518)
|
|
---
|
|
include/xtables.h | 3 +++
|
|
iptables/iptables-restore.c | 1 +
|
|
iptables/xtables-restore.c | 1 +
|
|
libxtables/xtables.c | 6 ++++++
|
|
4 files changed, 11 insertions(+)
|
|
|
|
diff --git a/include/xtables.h b/include/xtables.h
|
|
index a7b36979398ba..3c0d0f78e8d1a 100644
|
|
--- a/include/xtables.h
|
|
+++ b/include/xtables.h
|
|
@@ -633,6 +633,9 @@ void xt_xlate_add_comment(struct xt_xlate *xl, const char *comment);
|
|
const char *xt_xlate_get_comment(struct xt_xlate *xl);
|
|
const char *xt_xlate_get(struct xt_xlate *xl);
|
|
|
|
+/* informed target lookups */
|
|
+void xtables_announce_chain(const char *name);
|
|
+
|
|
#ifdef XTABLES_INTERNAL
|
|
|
|
/* Shipped modules rely on this... */
|
|
diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
|
|
index cc2c2b8b10086..a34d95015c93c 100644
|
|
--- a/iptables/iptables-restore.c
|
|
+++ b/iptables/iptables-restore.c
|
|
@@ -311,6 +311,7 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb,
|
|
cb->ops->strerror(errno));
|
|
}
|
|
|
|
+ xtables_announce_chain(chain);
|
|
ret = 1;
|
|
|
|
} else if (in_table) {
|
|
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
|
|
index 5d0e44843b285..b3c8dbaa7e2cc 100644
|
|
--- a/iptables/xtables-restore.c
|
|
+++ b/iptables/xtables-restore.c
|
|
@@ -156,6 +156,7 @@ static void xtables_restore_parse_line(struct nft_handle *h,
|
|
"%s: line %u chain name invalid\n",
|
|
xt_params->program_name, line);
|
|
|
|
+ xtables_announce_chain(chain);
|
|
assert_valid_chain_name(chain);
|
|
|
|
policy = strtok(NULL, " \t\n");
|
|
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
|
|
index b2b3eddf78dbc..803551053c15f 100644
|
|
--- a/libxtables/xtables.c
|
|
+++ b/libxtables/xtables.c
|
|
@@ -308,6 +308,12 @@ static void notargets_hlist_insert(const char *name)
|
|
hlist_add_head(&cur->node, ¬argets[djb_hash(name) % NOTARGET_HSIZE]);
|
|
}
|
|
|
|
+void xtables_announce_chain(const char *name)
|
|
+{
|
|
+ if (!notargets_hlist_lookup(name))
|
|
+ notargets_hlist_insert(name);
|
|
+}
|
|
+
|
|
void xtables_init(void)
|
|
{
|
|
xtables_libdir = getenv("XTABLES_LIBDIR");
|
|
--
|
|
2.40.0
|
|
|