nft: Reject standard targets as chain names when restoring

Reuse parse_chain() called from do_parse() for '-N' and rename it for a
better description of what it does.

Note that by itself, this patch will likely kill iptables-restore
performance for big rulesets due to the extra extension lookup for chain
lines. A following patch announcing those chains to libxtables will
alleviate that.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Florian Westphal <fw@strlen.de>

diff --git a/iptables/xshared.c b/iptables/xshared.c
index 43321d3b5358ca337fefb2a3b4255902724b2164..00828c8ae87d999bf40cf40f6be198576b9a5bcf 100644 (file)
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -1031,7 +1031,7 @@ set_option(unsigned int *options, unsigned int option, u_int16_t *invflg,
        }
 }
 
-void parse_chain(const char *chainname)
+void assert_valid_chain_name(const char *chainname)
 {
        const char *ptr;
 
@@ -1412,7 +1412,7 @@ void do_parse(int argc, char *argv[],
                        break;
 
                case 'N':
-                       parse_chain(optarg);
+                       assert_valid_chain_name(optarg);
                        add_command(&p->command, CMD_NEW_CHAIN, CMD_NONE,
                                    invert);
                        p->chain = optarg;

diff --git a/iptables/xshared.h b/iptables/xshared.h
index 0de0e12e5a922b5eb1703844c41b56fa76d88558..ca761ee7246ad74a676a33338703114b8e04b0d8 100644 (file)
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -244,7 +244,7 @@ char cmd2char(int option);
 void add_command(unsigned int *cmd, const int newcmd,
                 const int othercmds, int invert);
 int parse_rulenumber(const char *rule);
-void parse_chain(const char *chainname);
+void assert_valid_chain_name(const char *chainname);
 
 void generic_opt_check(int command, int options);
 char opt2char(int option);

diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index b3cf4017941987b6fb6f76c75a61eaf8da9a493a..b70a3cb1c753f61e4b70f0635260810eddd4e70d 100644 (file)
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -155,10 +155,7 @@ static void xtables_restore_parse_line(struct nft_handle *h,
                                   "%s: line %u chain name invalid\n",
                                   xt_params->program_name, line);
 
-               if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
-                       xtables_error(PARAMETER_PROBLEM,
-                                  "Invalid chain name `%s' (%u chars max)",
-                                  chain, XT_EXTENSION_MAXNAMELEN - 1);
+               assert_valid_chain_name(chain);
 
                policy = strtok(NULL, " \t\n");
                DEBUGP("line %u, policy '%s'\n", line, policy);