libxtables: Boost rule target checks by announcing chain names

When restoring a ruleset, feed libxtables with chain names from
respective lines to avoid an extension search.

While the user's intention is clear, this effectively disables the
sanity check for clashes with target extensions. But:

* The check yielded only a warning and the clashing chain was finally
  accepted.

* Users crafting iptables dumps for feeding into iptables-restore likely
  know what they're doing.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>

diff --git a/include/xtables.h b/include/xtables.h
index 044f191f313cc7643ca3408cf8d59ae7085e9179..84369dacb7e3769e42a871d82238042e945a02b6 100644 (file)
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -654,6 +654,9 @@ const char *xt_xlate_get(struct xt_xlate *xl);
 #define xt_xlate_rule_get xt_xlate_get
 const char *xt_xlate_set_get(struct xt_xlate *xl);
 
+/* informed target lookups */
+void xtables_announce_chain(const char *name);
+
 #ifdef XTABLES_INTERNAL
 
 /* Shipped modules rely on this... */

diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index d8f65ce1335eaec4f78644a7be0e0fa29a87c7f8..4410a587597ba22481b4c88626266005a41e6438 100644 (file)
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -308,6 +308,7 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb,
                                                cb->ops->strerror(errno));
                        }
 
+                       xtables_announce_chain(chain);
                        ret = 1;
 
                } else if (in_table) {

diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index b70a3cb1c753f61e4b70f0635260810eddd4e70d..1363f96ae0eb9febe779d06cb912f67501c8d527 100644 (file)
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -155,6 +155,7 @@ static void xtables_restore_parse_line(struct nft_handle *h,
                                   "%s: line %u chain name invalid\n",
                                   xt_params->program_name, line);
 
+               xtables_announce_chain(chain);
                assert_valid_chain_name(chain);
 
                policy = strtok(NULL, " \t\n");

diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 060907278e264b1dc0237632dd0c542337406336..96fd783a066cfbf6006951b8843efb567664f3a0 100644 (file)
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -321,6 +321,12 @@ static void notargets_hlist_insert(const char *name)
        hlist_add_head(&cur->node, &notargets[djb_hash(name) % NOTARGET_HSIZE]);
 }
 
+void xtables_announce_chain(const char *name)
+{
+       if (!notargets_hlist_lookup(name))
+               notargets_hlist_insert(name);
+}
+
 void xtables_init(void)
 {
        /* xtables cannot be used with setuid in a safe way. */