git.ipfire.org Git - thirdparty/iptables.git/commit

author	Phil Sutter <phil@nwl.cc>
	Wed, 6 Sep 2023 14:32:47 +0000 (16:32 +0200)
committer	Phil Sutter <phil@nwl.cc>
	Thu, 14 Sep 2023 10:20:11 +0000 (12:20 +0200)
commit	52ed0ac516db9f3a44f61dfd8b65d20631bfa95b
tree	0e04e0726ae98f0ac68d6801737149fabb7decb3	tree \| snapshot
parent	ea12b1d2b191f100a6fdb83af4681364e4dba12a	commit \| diff

nft: Fix for useless meta expressions in rule

A relict of legacy iptables' mandatory matching on interfaces and IP
addresses is support for the '-i +' notation, basically a "match any
input interface". Trying to make things better than its predecessor,
iptables-nft boldly optimizes that nop away - not entirely though, the
meta expression loading the interface name was left in place. While not
a problem (apart from pointless overhead) in current HEAD, v1.8.7 would
trip over this as a following cmp expression (for another match) was
incorrectly linked to that stale meta expression, loading strange values
into the respective interface name field.

While being at it, merge and generalize the functions into a common one
for use with ebtables' NFT_META_BRI_(I|O)IFNAME matches, too.

Fixes: 0a8635183edd0 ("xtables-compat: ignore '+' interface name")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1702
Signed-off-by: Phil Sutter <phil@nwl.cc>

extensions/libebt_standard.t		diff \| blob \| blame \| history
extensions/libip6t_standard.t		diff \| blob \| blame \| history
extensions/libxt_standard.t		diff \| blob \| blame \| history
iptables/nft-arp.c		diff \| blob \| blame \| history
iptables/nft-bridge.c		diff \| blob \| blame \| history
iptables/nft-ipv4.c		diff \| blob \| blame \| history
iptables/nft-ipv6.c		diff \| blob \| blame \| history
iptables/nft-shared.c		diff \| blob \| blame \| history
iptables/nft-shared.h		diff \| blob \| blame \| history