git.ipfire.org Git - thirdparty/iptables.git/commit

author	Phil Sutter <phil@nwl.cc>
	Wed, 25 Jan 2023 01:01:56 +0000 (02:01 +0100)
committer	Phil Sutter <phil@nwl.cc>
	Tue, 31 Jan 2023 15:29:26 +0000 (16:29 +0100)
commit	27d37863a486352511dac385bde8f3d20526be5b
tree	d977a53130907f2522eab24d062b879384578ff5	tree
parent	d6eb6a9fd3878ce4fa01f8d4127f1735988bd07b	commit \| diff

ebtables: Refuse unselected targets' options

Unlike legacy, ebtables-nft would allow e.g.:

| -t nat -A PREROUTING --to-dst fe:ed:00:00:ba:be

While the result is correct, it may mislead users into believing
multiple targets are possible per rule. Better follow legacy's behaviour
and reject target options unless they have been "enabled" by a previous
'-j' option.

To achieve this, one needs to distinguish targets from watchers also
attached to 'xtables_targets' and otherwise behaving like regular
matches. Introduce XTABLES_EXT_WATCHER to mark the two.

The above works already, but error messages are misleading when using
the now unsupported syntax since target options have been merged
already. Solve this by not pre-loading the targets at all, code will
just fall back to loading ad '-j' parsing time as iptables does.

Note how this also fixes for 'counter' statement being in wrong position
of ebtables-translate output.

Fixes: fe97f60e5d2a9 ("ebtables-compat: add watchers support")
Signed-off-by: Phil Sutter <phil@nwl.cc>

extensions/libebt_dnat.txlate		diff \| blob \| blame \| history
extensions/libebt_log.c		diff \| blob \| blame \| history
extensions/libebt_mark.txlate		diff \| blob \| blame \| history
extensions/libebt_nflog.c		diff \| blob \| blame \| history
extensions/libebt_snat.txlate		diff \| blob \| blame \| history
include/xtables.h		diff \| blob \| blame \| history
iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0		diff \| blob \| blame \| history
iptables/xtables-eb.c		diff \| blob \| blame \| history