Many thanks, now I think I understand the desired behavior with the
helper objects.
Now the following works:
$ nft add secmark inet filter sshtag
\"system_u:object_r:ssh_server_packet_t:s0\"
$ nft add rule inet filter input tcp dport 22 meta secmark set sshtag
$ nft add map inet filter
I think it was a bug of mine, sorted it out:
https://github.com/cgzones/secmark/commit/83a1f56a3283214b678655ad6f3b5605c6b48df3
Now I'll focus on connsecmark and testing :-)
Christian Göttsche wrote:
> I think it was a bug of mine, sorted it out:
> https://github.com/cgzones/secmark/commit/83a1f56a3283214b678655ad6f3b5605c6b48df3
>
> Now I'll focus on connsecmark and testing :-)
Great. You should be able to remove the secmark data type as well:
[NFT_META_SECMARK]
Christian Göttsche wrote:
> Now the following works:
>
> $ nft add secmark inet filter sshtag
> \"system_u:object_r:ssh_server_packet_t:s0\"
> $ nft add rule inet filter input tcp dport 22 meta secmark set sshtag
> $ nft add map inet filter secmapping { type inet_service : secmark_tag \; }
> $
Both implementations were very similar already. Differences were mostly
in which libiptc functions were called. Therefore introduce struct
iptables_save_cb to point to the right functions for each variant.
Signed-off-by: Phil Sutter
---
iptables/Makefile.am | 8 +-
Introduce struct iptables_restore_cb and merge ip6tables-restore with
iptables-restore.
Signed-off-by: Phil Sutter
---
iptables/Makefile.am | 6 +-
iptables/ip6tables-restore.c | 391 ---
iptables/iptables-restore.c | 154 ++
3 files
This series merges legacy ip6tables-save with iptables-save and
ip6tables-restore with iptables-restore. For convenience, struct xtc_ops
from libiptc is extended by a few more callbacks.
Note: This series is based on my recent 28 patches covscan fixes series.
Phil Sutter (3):
libiptc: Extend
Add a few more callbacks used by iptables-save.
Signed-off-by: Phil Sutter
---
include/libiptc/xtcshared.h | 5 +
libiptc/Makefile.am | 4 ++--
libiptc/libiptc.c | 4
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/include/libiptc/xtcshared.h
Christian Göttsche wrote:
> I stuck a bit with the nft cli coding.
>
> By now the following works:
>
> $ nft add map inet filter secmapping { type inet_service : secmark \; }
> $ nft add rule inet filter input tcp dport 21 secmark
> \"system_u:object_r:ftp_server_packet_t:s0\"
> $ nft add rule
Since sinfo->flags is only 8 bytes large, checking for
XT_CONNTRACK_DIRECTION bit (which has value 1 << 12) will always return
false, so drop this dead code.
Fixes: c7fc1dae1e8f8 ("libxt_conntrack: dump ctdir")
Signed-off-by: Phil Sutter
---
extensions/libxt_conntrack.c | 8
1 file
This gets rid of a number of assignments which are either redundant or
not used afterwards.
Signed-off-by: Phil Sutter
---
iptables/ip6tables-restore.c| 4 ++--
iptables/iptables-restore.c | 4 ++--
iptables/iptables-xml.c | 4 ++--
iptables/nft.c | 2 --
Just like with libxt_conntrack, get rid of the temporary buffer. The
comment even states that it was copied from there, so just make them
identical again.
Signed-off-by: Phil Sutter
---
extensions/libxt_ipvs.c | 22 --
1 file changed, 12 insertions(+), 10 deletions(-)
diff
This is a leftover from previous cleanup.
Fixes: 098ee2e91756c ("xtables-save: Ignore uninteresting tables")
Signed-off-by: Phil Sutter
---
iptables/nft.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index c67718c882a64..032c3788a20a7
This eliminates the deprecation warning when compiling the sources.
Signed-off-by: Phil Sutter
---
utils/nfnl_osf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/utils/nfnl_osf.c b/utils/nfnl_osf.c
index e65c320156518..fad7f70024c56 100644
--- a/utils/nfnl_osf.c
+++
According to covscan, vfork() may lead to a deadlock in the parent
process. It suggests to use posix_spawn() instead. Since the latter
combines vfork() and exec() calls, use it for xtables_insmod().
Signed-off-by: Phil Sutter
---
libxtables/xtables.c | 15 +--
1 file changed, 5
All commands this block handles set p->chain. Also the pointer is
dereferenced before, so no point in checking for it to be non-NULL.
Signed-off-by: Phil Sutter
---
iptables/xtables.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/xtables.c b/iptables/xtables.c
In print_addr(), a resolved hostname is written into a buffer without
size check. Since BUFSIZ is typically 8192 bytes, this shouldn't be an
issue, though covscan complained about it. Fix the code by using
conntrack_dump_addr() as an example.
Signed-off-by: Phil Sutter
---
This change originated from covscan complaining about the strcpy() call
with an unknown size source buffer. But in fact, the size is known (and
equal to the destination size), so pass a pointer to STRUCT_GETINFO to
alloc_handle() instead of it's fields separately. Hopefully this will
silence
Not a real problem here, but covscan got confused by one string
containing 'then' keyword.
Signed-off-by: Phil Sutter
---
iptables/iptables-apply | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/iptables/iptables-apply b/iptables/iptables-apply
index
These functions contain code which occurs in legacy's print_firewall()
functions, so use them there.
Rename them to at least make clear they print more than a single
address.
Also introduce ipv{4,6}_addr_to_string() which take care of converting
an address/netmask pair into string representation
Both affected functions check if 'oldopts' is NULL once but later seem
to ignore that possibility. To catch up on that, increment the pointer
only if it isn't NULL, also don't copy its content into the merged
options buffer in that case.
Signed-off-by: Phil Sutter
---
libxtables/xtables.c |
This moves getethertype.c into libxtables so that both extensions and
xtables-nft-multi may use the implementations therein. New users are
libebt_arp and libebt_vlan which drop their own duplicated
implementations of getethertypebyname() for the shared one.
This change originated from a covscan
Since nft_arp_rule_to_cs() may not set cs->jumpto, later call to
strcmp() may be passed a NULL pointer. Therefore check if the pointer is
valid before doing so.
Signed-off-by: Phil Sutter
---
iptables/nft-arp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
Make sure destination buffers are NULL-terminated by replacing strcpy()
with strncat() (if destination is guaranteed to be zeroed) or explicitly
set last byte in buffer to zero.
While being at it, replace two direct calls to calloc() with
xtables_calloc() since that takes care of error checking.
Instead of using strcat() and assuming the name will fit, print into the
buffer using snprintf() which truncates the string as needed.
Signed-off-by: Phil Sutter
---
extensions/libxt_LED.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/extensions/libxt_LED.c
This (rather large) series of patches contains changes to address
complaints of a recent covscan run. As is typical for covscan, not all
of them are problematic in practice, but in case the false-negative is
not obvious at first (or second) sight, changing the code is still not a
bad idea just to
I stuck a bit with the nft cli coding.
By now the following works:
$ nft add map inet filter secmapping { type inet_service : secmark \; }
$ nft add rule inet filter input tcp dport 21 secmark
\"system_u:object_r:ftp_server_packet_t:s0\"
$ nft add rule inet filter input secmark name tcp dport
The variable is not read before being assigned the return value of
strtoul(), thefore the initialization is useless. And since after this
change parameter 'end' becomes unused, drop it as well.
Signed-off-by: Phil Sutter
---
extensions/libxt_time.c | 8
1 file changed, 4 insertions(+),
The code obviously tries to assert that nft_table_builtin_find()
returned a valid pointer before dereferencing it, but the wrong argument
was given. Assume this is just a typo and insert the missing underscore.
Fixes: 9b896224e0bfc ("xtables: rework rule cache logic")
Signed-off-by: Phil Sutter
Signed-off-by: Phil Sutter
---
iptables/.gitignore | 2 ++
1 file changed, 2 insertions(+)
diff --git a/iptables/.gitignore b/iptables/.gitignore
index 5ca54adca38cf..d0301c6de896e 100644
--- a/iptables/.gitignore
+++ b/iptables/.gitignore
@@ -14,6 +14,8 @@
/iptables-xml
/iptables-xml.1
Since info->protocol is of type __u8, its value will never become -1.
Apart from that, xtables_parse_protocol() calls xt_params->exit_err() in
case of error, so this code is dead anyway.
Signed-off-by: Phil Sutter
---
extensions/libebt_ip.c | 4
extensions/libebt_ip6.c | 4
2 files
Move the function to xshared.c for common use between legacy and xtables
sources. While being at it, silence a covscan warning triggered by that
function as it couldn't verify input buffers won't exceed IFNAMSIZ.
Therefore use snprintf() when writing to the local buffer.
Signed-off-by: Phil
32 matches
Mail list logo