iptables: xtables-eb: user-defined chains default policy is always RETURN

The RETURN default policy is mandatory in user-defined chains.
Builtin chains must have one of ACCEPT or DROP.

So, with this patch, ebtables-compat ends with:

Command:                             Result:

-L                                   Always RETURN for user-defined chains
-P builtin RETURN                    Policy RETURN only allowed for user defined chains
-P builtin ACCEPT|DROP               ok
-P userdefined RETURN|ACCEPT|DROP    Policy XYZ not allowed for user defined chains
-N userdefined                       ok
-N userdefined -P RETURN|ACCEPT|DROP Policy XYZ not allowed for user defined chains

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index b5aec0010b866288e2626f7889057ca57dda8995..a1bd9065a2b879a8924c6f10cf1725036a436fd6 100644 (file)
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -356,7 +356,8 @@ static void nft_bridge_print_header(unsigned int format, const char *chain,
                                    const struct xt_counters *counters,
                                    bool basechain, uint32_t refs)
 {
-       printf("Bridge chain: %s, entries: %u, policy: %s\n", chain, refs, pol);
+       printf("Bridge chain: %s, entries: %u, policy: %s\n",
+              chain, refs, basechain ? pol : "RETURN");
 }
 
 static void nft_bridge_print_firewall(struct nft_rule *r, unsigned int num,

diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 917bca22e0bd00907975c9aff6f58b97d0f1730c..47af78f9ff6f951dae8ac2128e1a8f503d6444f7 100644 (file)
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -616,6 +616,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table)
                case 'E': /* Rename chain */
                case 'X': /* Delete chain */
                        /* We allow -N chainname -P policy */
+                       /* XXX: Not in ebtables-compat */
                        if (command == 'N' && c == 'P') {
                                command = c;
                                optind--; /* No table specified */
@@ -1146,9 +1147,15 @@ check_extension: */
        cs.fw.ethproto = htons(cs.fw.ethproto);
 
        if (command == 'P') {
-               if (selected_chain < NF_BR_NUMHOOKS && strcmp(policy, "RETURN")==0)
+               if (selected_chain < 0) {
+                       xtables_error(PARAMETER_PROBLEM,
+                                     "Policy %s not allowed for user defined chains",
+                                     policy);
+               }
+               if (strcmp(policy, "RETURN") == 0) {
                        xtables_error(PARAMETER_PROBLEM,
                                      "Policy RETURN only allowed for user defined chains");
+               }
                ret = nft_chain_set(h, *table, chain, policy, NULL);
                if (ret < 0)
                        xtables_error(PARAMETER_PROBLEM, "Wrong policy");