ebtables: fix over-eager -o checks on custom chains

Arturo reports ebtables-nft reports an error when -o is
used in custom chains:

-A MYCHAIN -o someif
makes ebtables-nft exit with an error:
"Use -o only in OUTPUT, FORWARD and POSTROUTING chains."

Problem is that all the "-o" checks expect <= NF_BR_POST_ROUTING
to mean "builtin", so -1 mistakenly leads to the checks being active.

Reported-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1347
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/extensions/libebt_standard.t b/extensions/libebt_standard.t
index 0d678fb23c439a1a9bb9cd6c07189b0d3c36c0cd..c6c3172748d7b83dc35e684728260fdc26891e4d 100644 (file)
--- a/extensions/libebt_standard.t
+++ b/extensions/libebt_standard.t
@@ -9,3 +9,20 @@
 -p ! ARP -j ACCEPT;=;OK
 -p 0 -j ACCEPT;=;FAIL
 -p ! 0 -j ACCEPT;=;FAIL
+:INPUT
+-i foobar;=;OK
+-o foobar;=;FAIL
+:FORWARD
+-i foobar;=;OK
+-o foobar;=;OK
+:OUTPUT
+-i foobar;=;FAIL
+-o foobar;=;OK
+:PREROUTING
+*nat
+-i foobar;=;OK
+-o foobar;=;FAIL
+:POSTROUTING
+*nat
+-i foobar;=;FAIL
+-o foobar;=;OK

diff --git a/iptables/tests/shell/testcases/ebtables/0005-ifnamechecks_0 b/iptables/tests/shell/testcases/ebtables/0005-ifnamechecks_0
new file mode 100755 (executable)
index 0000000..2163d36
--- /dev/null
+++ b/iptables/tests/shell/testcases/ebtables/0005-ifnamechecks_0
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -e
+
+# there is no legacy backend to test
+[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+
+EXPECT='*filter
+:INPUT ACCEPT
+:FORWARD ACCEPT
+:OUTPUT ACCEPT
+:PVEFW-FORWARD ACCEPT
+:PVEFW-FWBR-OUT ACCEPT
+-A FORWARD -j PVEFW-FORWARD
+-A PVEFW-FORWARD -p IPv4 -j ACCEPT
+-A PVEFW-FORWARD -p IPv6 -j ACCEPT
+-A PVEFW-FORWARD -i fwln+ -j ACCEPT
+-A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT'
+
+$XT_MULTI ebtables-restore <<<$EXPECT
+exec diff -u <(echo -e "$EXPECT") <($XT_MULTI ebtables-save | grep -v '^#')

diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 121ecbecd0b640a7c31983425130a8687e14f09b..3b03daef28eb3943b86e6e64349f1277de0dcbe2 100644 (file)
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -197,7 +197,8 @@ int ebt_get_current_chain(const char *chain)
        else if (strcmp(chain, "POSTROUTING") == 0)
                return NF_BR_POST_ROUTING;
 
-       return -1;
+       /* placeholder for user defined chain */
+       return NF_BR_NUMHOOKS;
 }
 
 /*
@@ -1223,7 +1224,7 @@ print_zero:
        cs.eb.ethproto = htons(cs.eb.ethproto);
 
        if (command == 'P') {
-               if (selected_chain < 0) {
+               if (selected_chain >= NF_BR_NUMHOOKS) {
                        ret = ebt_set_user_chain_policy(h, *table, chain, policy);
                } else {
                        if (strcmp(policy, "RETURN") == 0) {