On Wed, Aug 01, 2018 at 06:17:09PM +0200, Phil Sutter wrote: > Hi Pablo, > > On Fri, Jul 27, 2018 at 01:43:09PM +0200, Pablo Neira Ayuso wrote: > > On Fri, Jul 27, 2018 at 12:22:32AM +0200, Phil Sutter wrote: > > > Another fix for ebtables-restore: When encountering a non-standard > > > target, command_jump() tries to load it and may retrieve an already > > > loaded one taken from xtables_targets. Detect this by checking whether > > > option_offset field is non-zero (i.e., merge_options() has already been > > > called for it) and don't allocate per-target data (which would leak > > > memory) or merge options again (which would break rule parsing > > > afterwards). > > > > > > Signed-off-by: Phil Sutter <phil@xxxxxx> > > > --- > > > iptables/xtables-eb.c | 5 +++++ > > > 1 file changed, 5 insertions(+) > > > > > > diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c > > > index 644bc63a747c6..06ca5daa20541 100644 > > > --- a/iptables/xtables-eb.c > > > +++ b/iptables/xtables-eb.c > > > @@ -392,6 +392,11 @@ static struct xtables_target *command_jump(struct iptables_command_state *cs, > > > if (!target) > > > return NULL; > > > > > > + /* avoid allocating data and merging options if target was > > > + * already loaded (i.e. returned from xtables_targets list) */ > > > + if (target->option_offset) > > > + return target; > > > > Hm, I overlook this: command_jump() in iptables/xtables.c doesn't need > > this, why do we need it here? > > I think the core reason is that for ebtables, targets/matches are loaded > at once and not on demand since ebtables does not support '-m' > parameter. Without above change, the extra call to merge_options() > messes up ebtables_globals.opts. In do_parse() (used by iptables), the > equivalent xtables_globals.opts is reset before calling getopt_long(). > If I do the same in ebtables, parsing matches fails. Probably because > match options are not contained in ebtables_globals.opts anymore. > > So far I haven't found an alternative way to solve this (or align it > better with iptables code. OK, place a comment of top of this branch so we don't forget about this. Thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
