git.ipfire.org Git - thirdparty/iptables.git/commit

author	Phil Sutter <phil@nwl.cc>
	Tue, 21 Sep 2021 14:42:36 +0000 (16:42 +0200)
committer	Phil Sutter <phil@nwl.cc>
	Mon, 27 Sep 2021 11:29:38 +0000 (13:29 +0200)
commit	f9b33967f2b4b58160c0a970da77d5e44406803a
tree	193643d0af4bdab4503430dbeb74ec0e7642beec	tree
parent	4318961230bce82958df82b57f1796143bf2f421	commit \| diff

nft: Check base-chain compatibility when adding to cache

With introduction of dedicated base-chain slots, a selection process was
established as no longer all base-chains ended in the same chain list
for later searching/checking but only the first one found for each hook
matching criteria is kept and the rest discarded.

A side-effect of the above is that table compatibility checking started
to omit consecutive base-chains, making iptables-nft less restrictive as
long as the expected base-chains were returned first from kernel when
populating the cache.

Make behaviour consistent and warn users about the possibly disturbing
chains found by:

* Run all base-chain checks from nft_is_chain_compatible() before
  allowing a base-chain to occupy its slot.
* If an unfit base-chain was found (and discarded), flag the table's
  cache as tainted and warn about it if the remaining ruleset is
  otherwise compatible.

Since base-chains that remain in cache would pass
nft_is_chain_compatible() checking, remove that and reduce it to rule
inspection.

Signed-off-by: Phil Sutter <phil@nwl.cc>

iptables/nft-cache.c		diff \| blob \| blame \| history
iptables/nft.c		diff \| blob \| blame \| history
iptables/nft.h		diff \| blob \| blame \| history
iptables/tests/shell/testcases/chain/0004extra-base_0		diff \| blob \| blame \| history
iptables/xtables-save.c		diff \| blob \| blame \| history