ebtables: Refuse unselected targets' options

Unlike legacy, ebtables-nft would allow e.g.:

| -t nat -A PREROUTING --to-dst fe:ed:00:00:ba:be

While the result is correct, it may mislead users into believing
multiple targets are possible per rule. Better follow legacy's behaviour
and reject target options unless they have been "enabled" by a previous
'-j' option.

To achieve this, one needs to distinguish targets from watchers also
attached to 'xtables_targets' and otherwise behaving like regular
matches. Introduce XTABLES_EXT_WATCHER to mark the two.

The above works already, but error messages are misleading when using
the now unsupported syntax since target options have been merged
already. Solve this by not pre-loading the targets at all, code will
just fall back to loading ad '-j' parsing time as iptables does.

Note how this also fixes for 'counter' statement being in wrong position
of ebtables-translate output.

Fixes: fe97f60e5d2a9 ("ebtables-compat: add watchers support")
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/extensions/libebt_dnat.txlate b/extensions/libebt_dnat.txlate
index 9f305c76c954f511d8fa509a4bd5c0a72bdad6ea..531a22aa3e14f66d007ecf9babdd39d70c75de5a 100644 (file)
--- a/extensions/libebt_dnat.txlate
+++ b/extensions/libebt_dnat.txlate
@@ -1,8 +1,8 @@
-ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff
-nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff accept counter'
+ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff
+nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff accept'
 
-ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff --dnat-target ACCEPT
-nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff accept counter'
+ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff --dnat-target ACCEPT
+nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff accept'
 
-ebtables-translate -t nat -A PREROUTING -i someport --to-dst de:ad:00:be:ee:ff --dnat-target CONTINUE
-nft 'add rule bridge nat PREROUTING iifname "someport" ether daddr set de:ad:0:be:ee:ff continue counter'
+ebtables-translate -t nat -A PREROUTING -i someport -j dnat --to-dst de:ad:00:be:ee:ff --dnat-target CONTINUE
+nft 'add rule bridge nat PREROUTING iifname "someport" counter ether daddr set de:ad:0:be:ee:ff continue'

diff --git a/extensions/libebt_log.c b/extensions/libebt_log.c
index 045062196d20d6f628a74cb88a1200b560fbb496..9f8d1589568029552e411db834e7be8cc97ef641 100644 (file)
--- a/extensions/libebt_log.c
+++ b/extensions/libebt_log.c
@@ -197,6 +197,7 @@ static int brlog_xlate(struct xt_xlate *xl,
 static struct xtables_target brlog_target = {
        .name           = "log",
        .revision       = 0,
+       .ext_flags      = XTABLES_EXT_WATCHER,
        .version        = XTABLES_VERSION,
        .family         = NFPROTO_BRIDGE,
        .size           = XT_ALIGN(sizeof(struct ebt_log_info)),

diff --git a/extensions/libebt_mark.txlate b/extensions/libebt_mark.txlate
index d006e8ac940080e1647b6bdb072d3718cc425a28..4ace1a1f5cfde4c626852fb4c691a970041eb128 100644 (file)
--- a/extensions/libebt_mark.txlate
+++ b/extensions/libebt_mark.txlate
@@ -1,11 +1,11 @@
-ebtables-translate -A INPUT --mark-set 42
-nft 'add rule bridge filter INPUT meta mark set 0x2a accept counter'
+ebtables-translate -A INPUT -j mark --mark-set 42
+nft 'add rule bridge filter INPUT counter meta mark set 0x2a accept'
 
-ebtables-translate -A INPUT --mark-or 42 --mark-target RETURN
-nft 'add rule bridge filter INPUT meta mark set meta mark or 0x2a return counter'
+ebtables-translate -A INPUT -j mark --mark-or 42 --mark-target RETURN
+nft 'add rule bridge filter INPUT counter meta mark set meta mark or 0x2a return'
 
-ebtables-translate -A INPUT --mark-and 42 --mark-target ACCEPT
-nft 'add rule bridge filter INPUT meta mark set meta mark and 0x2a accept counter'
+ebtables-translate -A INPUT -j mark --mark-and 42 --mark-target ACCEPT
+nft 'add rule bridge filter INPUT counter meta mark set meta mark and 0x2a accept'
 
-ebtables-translate -A INPUT --mark-xor 42 --mark-target DROP
-nft 'add rule bridge filter INPUT meta mark set meta mark xor 0x2a drop counter'
+ebtables-translate -A INPUT -j mark --mark-xor 42 --mark-target DROP
+nft 'add rule bridge filter INPUT counter meta mark set meta mark xor 0x2a drop'

diff --git a/extensions/libebt_nflog.c b/extensions/libebt_nflog.c
index 115e15da45845ba1db5e2a7c3a6ba2b240e70cd7..762d6d5d8bbe24207dbd333155f0ed48c0d0dad8 100644 (file)
--- a/extensions/libebt_nflog.c
+++ b/extensions/libebt_nflog.c
@@ -146,6 +146,7 @@ static int brnflog_xlate(struct xt_xlate *xl,
 static struct xtables_target brnflog_watcher = {
        .name           = "nflog",
        .revision       = 0,
+       .ext_flags      = XTABLES_EXT_WATCHER,
        .version        = XTABLES_VERSION,
        .family         = NFPROTO_BRIDGE,
        .size           = XT_ALIGN(sizeof(struct ebt_nflog_info)),

diff --git a/extensions/libebt_snat.txlate b/extensions/libebt_snat.txlate
index 857a6052aed1a264c69677cd9731252e351049b6..37343d3a14754dd763a16dc43e6c3fe9abe30ddc 100644 (file)
--- a/extensions/libebt_snat.txlate
+++ b/extensions/libebt_snat.txlate
@@ -1,5 +1,5 @@
-ebtables-translate -t nat -A POSTROUTING -s 0:0:0:0:0:0 -o someport+ --to-source de:ad:00:be:ee:ff
-nft 'add rule bridge nat POSTROUTING oifname "someport*" ether saddr 00:00:00:00:00:00 ether saddr set de:ad:0:be:ee:ff accept counter'
+ebtables-translate -t nat -A POSTROUTING -s 0:0:0:0:0:0 -o someport+ -j snat --to-source de:ad:00:be:ee:ff
+nft 'add rule bridge nat POSTROUTING oifname "someport*" ether saddr 00:00:00:00:00:00 counter ether saddr set de:ad:0:be:ee:ff accept'
 
-ebtables-translate -t nat -A POSTROUTING -o someport --to-src de:ad:00:be:ee:ff --snat-target CONTINUE
-nft 'add rule bridge nat POSTROUTING oifname "someport" ether saddr set de:ad:0:be:ee:ff continue counter'
+ebtables-translate -t nat -A POSTROUTING -o someport -j snat --to-src de:ad:00:be:ee:ff --snat-target CONTINUE
+nft 'add rule bridge nat POSTROUTING oifname "someport" counter ether saddr set de:ad:0:be:ee:ff continue'

diff --git a/include/xtables.h b/include/xtables.h
index 4ffc8ec5a17e9df4b60519af507caf3bfb66c5a8..087a1d600f9ae433760de5f9cff0955ec16f1f37 100644 (file)
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -203,6 +203,7 @@ struct xtables_lmap {
 
 enum xtables_ext_flags {
        XTABLES_EXT_ALIAS = 1 << 0,
+       XTABLES_EXT_WATCHER = 1 << 1,
 };
 
 struct xt_xlate;

diff --git a/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0 b/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0
index 1091a4e80bebe63bfca3657aea778db3f77b91d4..b4f9728bb9b6ff29f584d952c9bc31aa52a81410 100755 (executable)
--- a/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0
+++ b/iptables/tests/shell/testcases/ebtables/0002-ebtables-save-restore_0
@@ -38,7 +38,7 @@ $XT_MULTI ebtables -A foo -p IPv6 --ip6-proto tcp -j ACCEPT
 
 $XT_MULTI ebtables -A foo --limit 100 --limit-burst 42 -j ACCEPT
 $XT_MULTI ebtables -A foo --log
-$XT_MULTI ebtables -A foo --mark-set 0x23 --mark-target ACCEPT
+$XT_MULTI ebtables -A foo -j mark --mark-set 0x23 --mark-target ACCEPT
 $XT_MULTI ebtables -A foo --nflog
 $XT_MULTI ebtables -A foo --pkttype-type multicast -j ACCEPT
 $XT_MULTI ebtables -A foo --stp-type config -j ACCEPT
@@ -53,7 +53,7 @@ $XT_MULTI ebtables -A FORWARD -j foo
 $XT_MULTI ebtables -N bar
 $XT_MULTI ebtables -P bar RETURN
 
-$XT_MULTI ebtables -t nat -A PREROUTING --redirect-target ACCEPT
+$XT_MULTI ebtables -t nat -A PREROUTING -j redirect --redirect-target ACCEPT
 #$XT_MULTI ebtables -t nat -A PREROUTING --to-src fe:ed:ba:be:00:01
 
 $XT_MULTI ebtables -t nat -A OUTPUT -j ACCEPT

diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 412b5cccdc46a43dd76940b06d283252f7a8166c..3a73e79725489252165919271dedd73c605de205 100644 (file)
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -468,14 +468,14 @@ static void ebt_load_match(const char *name)
                xtables_error(OTHER_PROBLEM, "Can't alloc memory");
 }
 
-static void __ebt_load_watcher(const char *name, const char *typename)
+static void ebt_load_watcher(const char *name)
 {
        struct xtables_target *watcher;
        size_t size;
 
        watcher = xtables_find_target(name, XTF_TRY_LOAD);
        if (!watcher) {
-               fprintf(stderr, "Unable to load %s %s\n", name, typename);
+               fprintf(stderr, "Unable to load %s watcher\n", name);
                return;
        }
 
@@ -496,16 +496,6 @@ static void __ebt_load_watcher(const char *name, const char *typename)
                xtables_error(OTHER_PROBLEM, "Can't alloc memory");
 }
 
-static void ebt_load_watcher(const char *name)
-{
-       return __ebt_load_watcher(name, "watcher");
-}
-
-static void ebt_load_target(const char *name)
-{
-       return __ebt_load_watcher(name, "target");
-}
-
 void ebt_load_match_extensions(void)
 {
        opts = ebt_original_options;
@@ -522,13 +512,6 @@ void ebt_load_match_extensions(void)
 
        ebt_load_watcher("log");
        ebt_load_watcher("nflog");
-
-       ebt_load_target("mark");
-       ebt_load_target("dnat");
-       ebt_load_target("snat");
-       ebt_load_target("arpreply");
-       ebt_load_target("redirect");
-       ebt_load_target("standard");
 }
 
 void ebt_add_match(struct xtables_match *m,
@@ -633,6 +616,9 @@ int ebt_command_default(struct iptables_command_state *cs)
 
        /* Is it a watcher option? */
        for (t = xtables_targets; t; t = t->next) {
+               if (!(t->ext_flags & XTABLES_EXT_WATCHER))
+                       continue;
+
                if (t->parse &&
                    t->parse(cs->c - t->option_offset, cs->argv,
                             ebt_invert, &t->tflags, NULL, &t->t)) {
@@ -726,6 +712,11 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table,
        optind = 0;
        opterr = false;
 
+       for (t = xtables_targets; t; t = t->next) {
+               t->tflags = 0;
+               t->used = 0;
+       }
+
        /* Getopt saves the day */
        while ((c = getopt_long(argc, argv, EBT_OPTSTRING,
                                        opts, NULL)) != -1) {