[iptables PATCH v2] xtables: Fix for matching rules with wildcard interfaces

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Due to xtables_parse_interface() and parse_ifname() being misaligned
regarding interface mask setting, rules containing a wildcard interface
added with iptables-nft could neither be checked nor deleted.

As suggested, introduce extensions/iptables.t to hold checks for
built-in selectors. This file is picked up by iptables-test.py as-is.
The only limitation is that iptables is being used for it, so no
ip6tables-specific things can be tested with it (for now).

Signed-off-by: Phil Sutter <phil@xxxxxx>
---
Changes since v1:
- Introduce extensions/iptables.t instead of (yet another) script in
  iptables/tests.
---
 extensions/iptables.t | 4 ++++
 iptables/nft-shared.c | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 extensions/iptables.t

diff --git a/extensions/iptables.t b/extensions/iptables.t
new file mode 100644
index 0000000000000..65456ee9874d7
--- /dev/null
+++ b/extensions/iptables.t
@@ -0,0 +1,4 @@
+:FORWARD
+-i alongifacename0;=;OK
+-i thisinterfaceistoolong0;;FAIL
+-i eth+ -o alongifacename+;=;OK
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 492e4ec124a79..7b8ca5e4becaf 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -249,7 +249,7 @@ static void parse_ifname(const char *name, unsigned int len, char *dst, unsigned
 		return;
 	dst[len++] = 0;
 	if (mask)
-		memset(mask, 0xff, len + 1);
+		memset(mask, 0xff, len - 2);
 }
 
 int parse_meta(struct nftnl_expr *e, uint8_t key, char *iniface,
-- 
2.19.0




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux