diff options
| author | Ansuel Smith <ansuelsmth@gmail.com> | 2022-01-07 18:22:17 +0100 |
|---|---|---|
| committer | Rui Salvaterra <rsalvaterra@gmail.com> | 2022-01-08 11:33:39 +0000 |
| commit | 3624c3786601699b6e7f9d18209fad0d7c6fe4e9 (patch) | |
| tree | bd5a62c931ce2dd3a2957968358d7e1a1cb49da8 | |
| parent | 40e5f6a2bd0b5406eff7e1d2d4f95bbf8f9410a4 (diff) | |
| download | firewall3-3624c3786601699b6e7f9d18209fad0d7c6fe4e9.tar.gz | |
firewall3: support table load on access on Linux 5.15+
With Linux 5.15+, tables are loaded on access. Firewall3 uses the
ip{,6}_tables_names proc entries to check if a table exists. In this new
implementation, the proc entries can contain wrong data if a table is present
but never used, and firewall3 will incorrectly think that the table is
unavailable. This causes configuration problems, since after a normal boot the
proc entries contain only the "filter" table and are missing "raw", "mangle" and
"nat".
To fix this, "poke" the tables to load them, simply by opening and closing them
without doing any operation. This simple operation is sufficient to make the
missing tables appear in the proc entries.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
[Reword the commit message and code comment]
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
| -rw-r--r-- | main.c | 11 |
1 files changed, 11 insertions, 0 deletions
@@ -266,6 +266,17 @@ start(void) continue; } + /* Linux 5.15+: make sure the tables are loaded and + * /proc/net/ip{,6}_tables_names are thus populated. + */ + for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++) + { + if (!(handle = fw3_ipt_open(family, table))) + continue; + + fw3_ipt_close(handle); + } + for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++) { if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table])) |