Re: [PATCH] iptables-nftables nft: Removes if_nametoindex ,NFT_META_OIF for outiface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Oct 11, 2013 at 03:37:34PM +0530, Anand Raj Manickam wrote:
> On Fri, Oct 11, 2013 at 3:20 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > On Fri, Oct 11, 2013 at 03:05:05PM +0530, Anand Raj Manickam wrote:
> >> On Fri, Oct 11, 2013 at 1:45 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> >> > On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote:
> >> >> This patch fixes the issue where , the Rules are added for non
> >> >> existent interface and unable to delete.
> >> >> eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows
> >> >> you to add the rule , where eth10.10 interface is not created.
> >> >> But will not allow to delete as the label maps to * by  if_nametoindex().
> >> >
> >> > This patch doesn't apply:
> >> >
> >> > patch -p1 < /tmp/anand.patch
> >> > patching file iptables/nft-shared.c
> >> > patch: **** malformed patch at line 6: *iface, int invflags)
> >> >
> >> > Please, no need to split things in that many chunks per file. One
> >> > single patch file to address one thing is just fine, the repository
> >> > has to remain in consistent state between patches.
> >> >
> >> > Thanks.
> >>
> >> Merged all into a single patch.
> >
> > I still think this still breaks -i eth+ matching, as there was special
> > handling for that case.
> 
> Can you share me the exact case ? It does NOT work on rules added before patch.
> 
> The patch looks good on my setup..
> xtables -I INPUT -i eth+ -j ACCEPT
> 
> xtables -L INPUT -nv
> Chain INPUT (policy ACCEPT 142K packets, 19M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 ACCEPT     all  --  eth+   *       0.0.0.0/0
> 0.0.0.0/0
> 
> # xtables -D INPUT -i eth+ -j ACCEPT
> comparing with... -A INPUT -c        0        0 -i eth+ -j ACCEPT
> DEBUG: rule: ip filter INPUT 29 0
>   [ meta load iifname => reg 1 ]
>   [ cmp eq reg 1 0x2b687465 ]
>   [ counter pkts 0 bytes 0 ]
>   [ immediate reg 0 1 ]

I guess that seems to work by adding/removing rules, but packet
matching won't work since from the kernel side it will strictly
compare the string, eg. eth0 == eth+.

Note that eth+ means we want to match all interfaces starting by 'eth'
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux