|
|
fc8f74 |
From 5ea18ea8c0c99f2c71a5eaf32f4fbf6339ce8cc7 Mon Sep 17 00:00:00 2001
|
|
|
fc8f74 |
From: Phil Sutter <phil@nwl.cc>
|
|
|
fc8f74 |
Date: Tue, 11 Feb 2020 16:52:59 +0100
|
|
|
fc8f74 |
Subject: [PATCH] xtables-restore: fix for --noflush and empty lines
|
|
|
fc8f74 |
|
|
|
fc8f74 |
Lookahead buffer used for cache requirements estimate in restore
|
|
|
fc8f74 |
--noflush separates individual lines with nul-chars. Two consecutive
|
|
|
fc8f74 |
nul-chars are interpreted as end of buffer and remaining buffer content
|
|
|
fc8f74 |
is skipped.
|
|
|
fc8f74 |
|
|
|
fc8f74 |
Sadly, reading an empty line (i.e., one containing a newline character
|
|
|
fc8f74 |
only) caused double nul-chars to appear in buffer as well, leading to
|
|
|
fc8f74 |
premature stop when reading cached lines from buffer.
|
|
|
fc8f74 |
|
|
|
fc8f74 |
To fix that, make use of xtables_restore_parse_line() skipping empty
|
|
|
fc8f74 |
lines without calling strtok() and just leave the newline character in
|
|
|
fc8f74 |
place. A more intuitive approach, namely skipping empty lines while
|
|
|
fc8f74 |
buffering, is deliberately not chosen as that would cause wrong values
|
|
|
fc8f74 |
in 'line' variable.
|
|
|
fc8f74 |
|
|
|
fc8f74 |
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1400
|
|
|
fc8f74 |
Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation")
|
|
|
fc8f74 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
fc8f74 |
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
|
|
|
fc8f74 |
(cherry picked from commit 8e76391096f12212985c401ee83a67990aa27a29)
|
|
|
fc8f74 |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
fc8f74 |
---
|
|
|
fc8f74 |
.../ipt-restore/0011-noflush-empty-line_0 | 16 ++++++++++++++++
|
|
|
fc8f74 |
iptables/xtables-restore.c | 8 +++++---
|
|
|
fc8f74 |
2 files changed, 21 insertions(+), 3 deletions(-)
|
|
|
fc8f74 |
create mode 100755 iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0
|
|
|
fc8f74 |
|
|
|
fc8f74 |
diff --git a/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 b/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0
|
|
|
fc8f74 |
new file mode 100755
|
|
|
fc8f74 |
index 0000000000000..bea1a690bb624
|
|
|
fc8f74 |
--- /dev/null
|
|
|
fc8f74 |
+++ b/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0
|
|
|
fc8f74 |
@@ -0,0 +1,16 @@
|
|
|
fc8f74 |
+#!/bin/bash -e
|
|
|
fc8f74 |
+
|
|
|
fc8f74 |
+# make sure empty lines won't break --noflush
|
|
|
fc8f74 |
+
|
|
|
fc8f74 |
+cat <
|
|
|
fc8f74 |
+# just a comment followed by innocent empty line
|
|
|
fc8f74 |
+
|
|
|
fc8f74 |
+*filter
|
|
|
fc8f74 |
+-A FORWARD -j ACCEPT
|
|
|
fc8f74 |
+COMMIT
|
|
|
fc8f74 |
+EOF
|
|
|
fc8f74 |
+
|
|
|
fc8f74 |
+EXPECT='Chain FORWARD (policy ACCEPT)
|
|
|
fc8f74 |
+target prot opt source destination
|
|
|
fc8f74 |
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 '
|
|
|
fc8f74 |
+diff -u <(echo "$EXPECT") <($XT_MULTI iptables -n -L FORWARD)
|
|
|
fc8f74 |
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
|
|
|
fc8f74 |
index 63cc15cee9621..fb2ac8b5c12a3 100644
|
|
|
fc8f74 |
--- a/iptables/xtables-restore.c
|
|
|
fc8f74 |
+++ b/iptables/xtables-restore.c
|
|
|
fc8f74 |
@@ -293,11 +293,13 @@ void xtables_restore_parse(struct nft_handle *h,
|
|
|
fc8f74 |
while (fgets(buffer, sizeof(buffer), p->in)) {
|
|
|
fc8f74 |
size_t blen = strlen(buffer);
|
|
|
fc8f74 |
|
|
|
fc8f74 |
- /* drop trailing newline; xtables_restore_parse_line()
|
|
|
fc8f74 |
+ /* Drop trailing newline; xtables_restore_parse_line()
|
|
|
fc8f74 |
* uses strtok() which replaces them by nul-characters,
|
|
|
fc8f74 |
* causing unpredictable string delimiting in
|
|
|
fc8f74 |
- * preload_buffer */
|
|
|
fc8f74 |
- if (buffer[blen - 1] == '\n')
|
|
|
fc8f74 |
+ * preload_buffer.
|
|
|
fc8f74 |
+ * Unless this is an empty line which would fold into a
|
|
|
fc8f74 |
+ * spurious EoB indicator (double nul-char). */
|
|
|
fc8f74 |
+ if (buffer[blen - 1] == '\n' && blen > 1)
|
|
|
fc8f74 |
buffer[blen - 1] = '\0';
|
|
|
fc8f74 |
else
|
|
|
fc8f74 |
blen++;
|
|
|
fc8f74 |
--
|
|
|
fc8f74 |
2.24.1
|
|
|
fc8f74 |
|