On Tue, Oct 30, 2018 at 05:57:53PM +0100, Phil Sutter wrote:
> Due to xtables_parse_interface() and parse_ifname() being misaligned
> regarding interface mask setting, rules containing a wildcard interface
> added with iptables-nft could neither be checked nor deleted.
>
> Signed-off-by: Phil Sutter <phil@xxxxxx>
> ---
> iptables/nft-shared.c | 2 +-
> .../shell/testcases/nft-only/0004wildcard-iface_0 | 12 ++++++++++++
> 2 files changed, 13 insertions(+), 1 deletion(-)
> create mode 100755 iptables/tests/shell/testcases/nft-only/0004wildcard-iface_0
>
> diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
> index 492e4ec124a79..7b8ca5e4becaf 100644
> --- a/iptables/nft-shared.c
> +++ b/iptables/nft-shared.c
> @@ -249,7 +249,7 @@ static void parse_ifname(const char *name, unsigned int len, char *dst, unsigned
> return;
> dst[len++] = 0;
> if (mask)
> - memset(mask, 0xff, len + 1);
> + memset(mask, 0xff, len - 2);
> }
>
> int parse_meta(struct nftnl_expr *e, uint8_t key, char *iniface,
> diff --git a/iptables/tests/shell/testcases/nft-only/0004wildcard-iface_0 b/iptables/tests/shell/testcases/nft-only/0004wildcard-iface_0
> new file mode 100755
> index 0000000000000..b7c398ecbb29c
> --- /dev/null
> +++ b/iptables/tests/shell/testcases/nft-only/0004wildcard-iface_0
> @@ -0,0 +1,12 @@
> +#!/bin/bash
> +
> +# Make sure rules containing wildcard interfaces are found again.
> +
> +set -e
> +
> +[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
> +
> +lname='alongifacename+'
> +$XT_MULTI iptables -A FORWARD -i eth+ -o $lname -j ACCEPT
> +$XT_MULTI iptables -C FORWARD -i eth+ -o $lname -j ACCEPT
> +$XT_MULTI iptables -D FORWARD -i eth+ -o $lname -j ACCEPT
Suggestion: Probably we can catch this through tests/py/, just a
suggestion. -C and -D operations, very much look the same from
interface perspective, so just checking for -I then -D should be fine
as tests/py.
