This reverts commit 786b75f7c9b9feaa294da097c2e9727747162c79. The internal routine xtopt_esize_by_type() is *not* just a fancy wrapper around direct xtop_psize array access, as clearly indicated by the comment right above it: It will return the single field size for range-value types (XTTYPE_UINT*RC). Using it in xtables_option_metavalidate() leads to spurious "memory block of wrong size" complaints. Fixes: 786b75f7c9b9f ("libxtables: Promote xtopt_esize_by_type() as xtopt_psize getter") Signed-off-by: Phil Sutter --- libxtables/xtoptions.c | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c index ecaea4ec16cc9..64d6599af904b 100644 --- a/libxtables/xtoptions.c +++ b/libxtables/xtoptions.c @@ -145,11 +145,8 @@ static size_t xtopt_esize_by_type(enum xt_option_type type) case XTTYPE_UINT64RC: return xtopt_psize[XTTYPE_UINT64]; default: - break; - } - if (type < ARRAY_SIZE(xtopt_psize)) return xtopt_psize[type]; - return 0; + } } static uint64_t htonll(uint64_t val) @@ -889,8 +886,6 @@ void xtables_option_parse(struct xt_option_call *cb) void xtables_option_metavalidate(const char *name, const struct xt_option_entry *entry) { - size_t psize; - for (; entry->name != NULL; ++entry) { if (entry->id >= CHAR_BIT * sizeof(unsigned int) || entry->id >= XT_OPTION_OFFSET_SCALE) @@ -905,18 +900,19 @@ void xtables_option_metavalidate(const char *name, "Oversight?", name, entry->name); continue; } - - psize = xtopt_esize_by_type(entry->type); - if (!psize) + if (entry->type >= ARRAY_SIZE(xtopt_psize) || + xtopt_psize[entry->type] == 0) xt_params->exit_err(OTHER_PROBLEM, "%s: entry type of option \"--%s\" cannot be " "combined with XTOPT_PUT\n", name, entry->name); - else if (psize != -1 && psize != entry->size) + if (xtopt_psize[entry->type] != -1 && + xtopt_psize[entry->type] != entry->size) xt_params->exit_err(OTHER_PROBLEM, "%s: option \"--%s\" points to a memory block " "of wrong size (expected %zu, got %zu)\n", - name, entry->name, psize, entry->size); + name, entry->name, + xtopt_psize[entry->type], entry->size); } } -- 2.49.0 Since commit 61e85e3192dea ("iptables-nft: allow removal of empty builtin chains"), the command may be applied to "builtin" chains as well, so the output is basically valid. Apart from that, since kernel commit a1050dd07168 ("netfilter: nf_tables: Reintroduce shortened deletion notifications") the base chain deletion notification does not contain NFTNL_CHAIN_PRIO (actually: NFTA_HOOK_PRIORITY) attribute anymore so this implicitly fixes for changed kernel behaviour. Signed-off-by: Phil Sutter --- .../tests/shell/testcases/nft-only/0012-xtables-monitor_0 | 8 ++++---- iptables/xtables-monitor.c | 4 +++- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 index c49b7ccddeb35..10d9547ae8f44 100755 --- a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 +++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 @@ -124,16 +124,16 @@ monitorcheck ebtables -F FORWARD EXP=" EVENT: arptables -t filter -D INPUT -j ACCEPT" monitorcheck arptables -F INPUT -EXP=" EVENT: nft: DEL chain: ip filter FORWARD use 0 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1" +EXP=" EVENT: iptables -t filter -X FORWARD" monitorcheck iptables -X FORWARD -EXP=" EVENT: nft: DEL chain: ip6 filter FORWARD use 0 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1" +EXP=" EVENT: ip6tables -t filter -X FORWARD" monitorcheck ip6tables -X FORWARD -EXP=" EVENT: nft: DEL chain: bridge filter FORWARD use 0 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1" +EXP=" EVENT: ebtables -t filter -X FORWARD" monitorcheck ebtables -X FORWARD -EXP=" EVENT: nft: DEL chain: arp filter INPUT use 0 type filter hook input prio 0 policy accept packets 0 bytes 0 flags 1" +EXP=" EVENT: arptables -t filter -X INPUT" monitorcheck arptables -X INPUT exit $rc diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c index 9561bd177dee4..950aac17a2411 100644 --- a/iptables/xtables-monitor.c +++ b/iptables/xtables-monitor.c @@ -157,7 +157,9 @@ static int chain_cb(const struct nlmsghdr *nlh, void *data) printf(" EVENT: "); - if (nftnl_chain_is_set(c, NFTNL_CHAIN_PRIO) || !family_cmd(family)) { + if (!family_cmd(family) || + (type == NFT_MSG_NEWCHAIN && + nftnl_chain_is_set(c, NFTNL_CHAIN_PRIO))) { nftnl_chain_snprintf(buf, sizeof(buf), c, NFTNL_OUTPUT_DEFAULT, 0); printf("nft: %s chain: %s\n", -- 2.49.0