Arturo reports ebtables-nft reports an error when -o is used in custom chains:
-A MYCHAIN -o someif makes ebtables-nft exit with an error: "Use -o only in OUTPUT, FORWARD and POSTROUTING chains." Problem is that all the "-o" checks expect <= NF_BR_POST_ROUTING to mean "builtin", so -1 mistakenly leads to the checks being active. Reported-by: Arturo Borrero Gonzalez <art...@netfilter.org> Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1347 Signed-off-by: Florian Westphal <f...@strlen.de> --- iptables/xtables-eb.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index 121ecbecd0b6..3b03daef28eb 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -197,7 +197,8 @@ int ebt_get_current_chain(const char *chain) else if (strcmp(chain, "POSTROUTING") == 0) return NF_BR_POST_ROUTING; - return -1; + /* placeholder for user defined chain */ + return NF_BR_NUMHOOKS; } /* @@ -1223,7 +1224,7 @@ print_zero: cs.eb.ethproto = htons(cs.eb.ethproto); if (command == 'P') { - if (selected_chain < 0) { + if (selected_chain >= NF_BR_NUMHOOKS) { ret = ebt_set_user_chain_policy(h, *table, chain, policy); } else { if (strcmp(policy, "RETURN") == 0) { -- 2.21.0
