powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1055 Commits
1 Branch
0 Tags
390 MiB
 
 
 
 
 
 
Tree: 260568e7ec
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '260568e7ec'
${ noResults }
base/SOURCES/xtables-restore-Fix-table-p...

81 lines
2.8 KiB
Raw Blame History

From bcf1d6cb8bd521c716ae38dd08ee52d267cfa25e Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 23 Oct 2019 12:06:55 +0200
Subject: [PATCH 1/2] xtables-restore: Fix --table parameter check
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1749700
Upstream Status: iptables commit 3dc433b55bbfa
Conflicts: Downstream does not support nft-variants.
commit 3dc433b55bbfaf9df3ee408aaa6282742f377864
Author: Phil Sutter <phil@nwl.cc>
Date: Fri Sep 20 17:31:58 2019 +0200
xtables-restore: Fix --table parameter check
Xtables-restore tries to reject rule commands in input which contain a
--table parameter (since it is adding this itself based on the previous
table line). The manual check was not perfect though as it caught any
parameter starting with a dash and containing a 't' somewhere, even in
rule comments:
| *filter
| -A FORWARD -m comment --comment "- allow this one" -j ACCEPT
| COMMIT
Instead of error-prone manual checking, go a much simpler route: All
do_command callbacks are passed a boolean indicating they're called from
*tables-restore. React upon this when handling a table parameter and
error out if it's not the first one.
Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/iptables.c | 4 ++++
iptables/xshared.c | 12 ------------
2 files changed, 4 insertions(+), 12 deletions(-)
diff --git a/iptables/iptables.c b/iptables/iptables.c
index dc70cc6e9b0ec..d106a18949407 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -1591,6 +1591,10 @@ int do_command4(int argc, char *argv[], char **table,
if (cs.invert)
xtables_error(PARAMETER_PROBLEM,
"unexpected ! flag before --table");
+ if (restore && *table)
+ xtables_error(PARAMETER_PROBLEM,
+ "The -t option (seen in line %u) cannot be used in %s.\n",
+ line, xt_params->program_name);
*table = optarg;
break;
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 84dbea562576e..058b5e8b63896 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -513,18 +513,6 @@ void add_param_to_argv(char *parsestart, int line)
}
param_buffer[param_len] = '\0';
-
- /* check if table name specified */
- if ((param_buffer[0] == '-' &&
- param_buffer[1] != '-' &&
- strchr(param_buffer, 't')) ||
- (!strncmp(param_buffer, "--t", 3) &&
- !strncmp(param_buffer, "--table", strlen(param_buffer)))) {
- xtables_error(PARAMETER_PROBLEM,
- "The -t option (seen in line %u) cannot be used in %s.\n",
- line, xt_params->program_name);
- }
-
add_argv(param_buffer, 0);
param_len = 0;
}
--
2.23.0