arptables-nft: remove ARPT_INV flags usage

ARPT_ and IPT_INV flags are not interchangeable, e.g.:
define IPT_INV_SRCDEVADDR	0x0080
define ARPT_INV_SRCDEVADDR	0x0010

as these flags can be tested by libarp_foo.so such checks can yield
incorrect results.

Because arptables-nft uses existing code, e.g. xt_mark, it makes
sense to unify this completely by converting the last users of
ARPT_INV_ constants.

Note that arptables-legacy does not do run-time module loading via
dlopen(). Functionaliy implemented by "extensions" in the
arptables-legacy git tree are built-in, so this doesn't break
arptables-legacy binaries.

Fixes: 44457c080590 ("xtables-arp: Don't use ARPT_INV_*")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/extensions/libarpt_mangle.c b/extensions/libarpt_mangle.c
index 765edf34781f35c1ef76c044f01cde1f768e3e0b..a846e97ec8f27d67a11aff4e14c2ef809ebb0662 100644 (file)
--- a/extensions/libarpt_mangle.c
+++ b/extensions/libarpt_mangle.c
@@ -77,7 +77,7 @@ arpmangle_parse(int c, char **argv, int invert, unsigned int *flags,
                if (e->arp.arhln_mask == 0)
                        xtables_error(PARAMETER_PROBLEM,
                                      "no --h-length defined");
-               if (e->arp.invflags & ARPT_INV_ARPHLN)
+               if (e->arp.invflags & IPT_INV_ARPHLN)
                        xtables_error(PARAMETER_PROBLEM,
                                      "! --h-length not allowed for "
                                      "--mangle-mac-s");
@@ -95,7 +95,7 @@ arpmangle_parse(int c, char **argv, int invert, unsigned int *flags,
                if (e->arp.arhln_mask == 0)
                        xtables_error(PARAMETER_PROBLEM,
                                      "no --h-length defined");
-               if (e->arp.invflags & ARPT_INV_ARPHLN)
+               if (e->arp.invflags & IPT_INV_ARPHLN)
                        xtables_error(PARAMETER_PROBLEM,
                                      "! hln not allowed for --mangle-mac-d");
                if (e->arp.arhln != 6)

diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index aed39ebdd516677d8cb4c46955d9bf7081994d64..535dd6b83237bb8a50390a1915355fbbf40b7eea 100644 (file)
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -490,7 +490,7 @@ static void nft_arp_post_parse(int command,
                                         &args->d.naddrs);
 
        if ((args->s.naddrs > 1 || args->d.naddrs > 1) &&
-           (cs->arp.arp.invflags & (ARPT_INV_SRCIP | ARPT_INV_TGTIP)))
+           (cs->arp.arp.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP)))
                xtables_error(PARAMETER_PROBLEM,
                              "! not allowed with multiple"
                              " source or destination IP addresses");

diff --git a/iptables/xshared.h b/iptables/xshared.h
index a200e0d620ad37b5213ff3bb309526e42422b338..5586385456a4db47788aab0cb33e752119f3a1fa 100644 (file)
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -80,7 +80,9 @@ struct xtables_target;
 #define ARPT_OPTSTRING OPTSTRING_COMMON "R:S::" "h::l:nvx" /* "m:" */
 #define EBT_OPTSTRING  OPTSTRING_COMMON "hv"
 
-/* define invflags which won't collide with IPT ones */
+/* define invflags which won't collide with IPT ones.
+ * arptables-nft does NOT use the legacy ARPT_INV_* defines.
+ */
 #define IPT_INV_SRCDEVADDR     0x0080
 #define IPT_INV_TGTDEVADDR     0x0100
 #define IPT_INV_ARPHLN         0x0200