I think the work to move ebtables to use xtables broke ebtables.
Specifically, in commit 8cc784eec6676b58e7f60419c88179aaa97bf71c the
return value of the match functions was inverted so that they return 1
(true) on matches instead of EBT_MATCH (0), and vice versa (look in
ebt_ip.c). The logic in ebtables.c (ebt_do_table() and
EBT_MATCH_ITERATE()) expect match functions to return 0 for matches.
The patch at the end of this message fixes the problem, but seems a
little hacky to me. Who's the right person to address this?
-Matt
--- linux-2.6.28.orig/net/bridge/netfilter/ebtables.c 2008-12-24
18:26:37.000000000 -0500
+++ linux-2.6.28/net/bridge/netfilter/ebtables.c 2008-12-31
16:17:44.000000000 -0500
@@ -80,7 +80,7 @@
{
par->match = m->u.match;
par->matchinfo = m->data;
- return m->u.match->match(skb, par);
+ return !m->u.match->match(skb, par);
}
static inline int ebt_dev_check(char *entry, const struct net_device *device)
On Wed, 2008-12-31 at 17:00 -0500, Matt Cross wrote:
> I think the work to move ebtables to use xtables broke ebtables.
> Specifically, in commit 8cc784eec6676b58e7f60419c88179aaa97bf71c the
> return value of the match functions was inverted so that they return 1
> (true) on matches instead of EBT_MATCH (0), and vice versa (look in
> ebt_ip.c). The logic in ebtables.c (ebt_do_table() and
> EBT_MATCH_ITERATE()) expect match functions to return 0 for matches.
>
> The patch at the end of this message fixes the problem, but seems a
> little hacky to me. Who's the right person to address this?
>
> -Matt
I suspect the right place to send this is:
[email protected]
The subject line should indicate that you've contributed a patch
otherwise you may not get a quick response (I've modified it
accordingly).
For more on submitting patches you can read
Documentation/SubmittingPatches and Documentation/SubmitChecklist
Cheers,
-Matt Helsley
>
> --- linux-2.6.28.orig/net/bridge/netfilter/ebtables.c 2008-12-24
> 18:26:37.000000000 -0500
> +++ linux-2.6.28/net/bridge/netfilter/ebtables.c 2008-12-31
> 16:17:44.000000000 -0500
> @@ -80,7 +80,7 @@
> {
> par->match = m->u.match;
> par->matchinfo = m->data;
> - return m->u.match->match(skb, par);
> + return !m->u.match->match(skb, par);
> }
>
> static inline int ebt_dev_check(char *entry, const struct net_device *device)
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
Matthew Helsley wrote:
> On Wed, 2008-12-31 at 17:00 -0500, Matt Cross wrote:
>> I think the work to move ebtables to use xtables broke ebtables.
>> Specifically, in commit 8cc784eec6676b58e7f60419c88179aaa97bf71c the
>> return value of the match functions was inverted so that they return 1
>> (true) on matches instead of EBT_MATCH (0), and vice versa (look in
>> ebt_ip.c). The logic in ebtables.c (ebt_do_table() and
>> EBT_MATCH_ITERATE()) expect match functions to return 0 for matches.
>>
>> The patch at the end of this message fixes the problem, but seems a
>> little hacky to me. Who's the right person to address this?
Jan, could you have a look at this please?
>> --- linux-2.6.28.orig/net/bridge/netfilter/ebtables.c 2008-12-24
>> 18:26:37.000000000 -0500
>> +++ linux-2.6.28/net/bridge/netfilter/ebtables.c 2008-12-31
>> 16:17:44.000000000 -0500
>> @@ -80,7 +80,7 @@
>> {
>> par->match = m->u.match;
>> par->matchinfo = m->data;
>> - return m->u.match->match(skb, par);
>> + return !m->u.match->match(skb, par);
>> }
On Monday 2009-01-12 06:14, Patrick McHardy wrote:
> Matthew Helsley wrote:
>> On Wed, 2008-12-31 at 17:00 -0500, Matt Cross wrote:
>>> I think the work to move ebtables to use xtables broke ebtables.
>>> Specifically, in commit 8cc784eec6676b58e7f60419c88179aaa97bf71c the
>>> return value of the match functions was inverted so that they return 1
>>> (true) on matches instead of EBT_MATCH (0), and vice versa (look in
>>> ebt_ip.c). The logic in ebtables.c (ebt_do_table() and
>>> EBT_MATCH_ITERATE()) expect match functions to return 0 for matches.
>>>
>>> The patch at the end of this message fixes the problem, but seems a
>>> little hacky to me. Who's the right person to address this?
>
> Jan, could you have a look at this please?
That seemds indeed so.
Patch is both for 2.6.29-running and 2.6.28.
parent 1e8ca9528de86bdb2d73fbdfb27a10131bb5c593 (v2.6.29-rc1-21-g1e8ca95)
commit cc46eb3e855b7c1f628e934e01b97f4f2642973e
Author: Jan Engelhardt <[email protected]>
Date: Mon Jan 12 08:40:22 2009 +0100
netfilter: ebtables: fix inversion in match code
Signed-off-by: Jan Engelhardt <[email protected]>
---
net/bridge/netfilter/ebtables.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index fa108c4..9f46235 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -79,7 +79,7 @@ static inline int ebt_do_match (struct ebt_entry_match *m,
{
par->match = m->u.match;
par->matchinfo = m->data;
- return m->u.match->match(skb, par);
+ return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
}
static inline int ebt_dev_check(char *entry, const struct net_device *device)
--
# Created with git-export-patch
Jan Engelhardt wrote:
>>> On Wed, 2008-12-31 at 17:00 -0500, Matt Cross wrote:
>>>> I think the work to move ebtables to use xtables broke ebtables.
>>>> Specifically, in commit 8cc784eec6676b58e7f60419c88179aaa97bf71c the
>>>> return value of the match functions was inverted so that they return 1
>>>> (true) on matches instead of EBT_MATCH (0), and vice versa (look in
>>>> ebt_ip.c). The logic in ebtables.c (ebt_do_table() and
>>>> EBT_MATCH_ITERATE()) expect match functions to return 0 for matches.
>>>>
>> Jan, could you have a look at this please?
>
> That seemds indeed so.
> Patch is both for 2.6.29-running and 2.6.28.
>
> netfilter: ebtables: fix inversion in match code
Applied, thanks. When fixing regressions please state the commit
ID and subject of the patch introducing the breakage and also who
reported it.
Like this.
On Mon, 2009-01-12 at 08:54 +0100, Patrick McHardy wrote:
> commit c6b52c688ecf03adb82724299b97701528821ca5
> Author: Jan Engelhardt <[email protected]>
> Date: Mon Jan 12 08:52:08 2009 +0100
>
> netfilter: ebtables: fix inversion in match code
>
> Commit 8cc784ee (netfilter: change return types of match functions
> for ebtables extensions) broke ebtables matches by inverting the
> sense of match/nomatch.
>
> Reported-by: Matt Cross <[email protected]>
Argh, I totally skimmed past this mistake earlier!
Should be:
Reported-by: Matt Cross <[email protected]>
I just directed Matt Cross to the appropriate mailing list.
Cheers,
-Matt Helsley