Package: ebtables
Version: 2.0.10.4-1
Severity: normal
Tags: patch
Dear Maintainer,
ebtables does not accept RETURN as a target in --xxxx-target
(.e.g --dnat-target, --mark-target). even if the rule is entered
in a non-base chain, and '--jump RETURN' is accepted for that
same chain.
For instance, when executing the following commands:
modprobe ebt_dnat
modprobe ebt_mark
ebtables -t nat --flush PREROUTING
ebtables -t nat --delete-chain MYCHAIN
ebtables -t nat --new-chain MYCHAIN
ebtables -t nat --policy MYCHAIN ACCEPT
ebtables -t nat --append PREROUTING --jump MYCHAIN
set -x
ebtables -t nat --append MYCHAIN --jump RETURN
ebtables -t nat --append MYCHAIN --jump dnat --to-destination
11:11:11:11:11:11 --dnat-target RETURN
ebtables -t nat --append MYCHAIN --jump mark --mark-set 0x00
--mark-target RETURN
The output is:
++ ebtables -t nat --append MYCHAIN --jump RETURN
++ ebtables -t nat --append MYCHAIN --jump dnat --to-destination
11:11:11:11:11:11 --dnat-target RETURN
--dnat-target RETURN not allowed on base chain.
++ ebtables -t nat --append MYCHAIN --jump mark --mark-set 0x00
--mark-target RETURN
--mark-target RETURN not allowed on base chain.
while, obviously, RETURN *should* be accepted as target in these
cases.
Any extension module that is invoked using --jump, and allows
a 'real' target to be specified probably suffers from the same
problem. In effect, the RETURN target cannot be used with such
modules, and a separate rule has to be created instead.
I have created the patch below that seems to solve the problem.
I have tested it with the commands above, which succeed. Also,
inserting a RETURN target in one of the base chains still fails.
Kind regards,
Rogier.
------------------------------------------------------
--- ebtables-2.0.10.4/libebtc.c 2011-12-15 21:02:47.000000000 +0100
+++ ebtables-2.0.10.4-patch/libebtc.c 2013-02-05 17:44:04.000000000 +0100
@@ -1102,7 +1102,7 @@
/* check if we've dealt with this chain already */
if (entries2->hook_mask & (1<<i))
goto letscontinue;
- entries2->hook_mask |= entries->hook_mask;
+ entries2->hook_mask |= entries->hook_mask & ~(1 <<
NF_BR_NUMHOOKS);
/* Jump to the chain, make sure we know how to get back
*/
stack[sp].chain_nr = chain_nr;
stack[sp].n = j;
------------------------------------------------------
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages ebtables depends on:
ii libc6 2.13-37
Versions of packages ebtables recommends:
ii iptables 1.4.14-3
ii module-init-tools 9-2
ebtables suggests no packages.
-- no debconf information
-- debsums errors found:
debsums: changed file /lib/ebtables/libebtc.so (from ebtables package)
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
