Blame SOURCES/0013-xtables-restore-fix-for-noflush-and-empty-lines.patch

fc8f74
From 5ea18ea8c0c99f2c71a5eaf32f4fbf6339ce8cc7 Mon Sep 17 00:00:00 2001
fc8f74
From: Phil Sutter <phil@nwl.cc>
fc8f74
Date: Tue, 11 Feb 2020 16:52:59 +0100
fc8f74
Subject: [PATCH] xtables-restore: fix for --noflush and empty lines
fc8f74
fc8f74
Lookahead buffer used for cache requirements estimate in restore
fc8f74
--noflush separates individual lines with nul-chars. Two consecutive
fc8f74
nul-chars are interpreted as end of buffer and remaining buffer content
fc8f74
is skipped.
fc8f74
fc8f74
Sadly, reading an empty line (i.e., one containing a newline character
fc8f74
only) caused double nul-chars to appear in buffer as well, leading to
fc8f74
premature stop when reading cached lines from buffer.
fc8f74
fc8f74
To fix that, make use of xtables_restore_parse_line() skipping empty
fc8f74
lines without calling strtok() and just leave the newline character in
fc8f74
place. A more intuitive approach, namely skipping empty lines while
fc8f74
buffering, is deliberately not chosen as that would cause wrong values
fc8f74
in 'line' variable.
fc8f74
fc8f74
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1400
fc8f74
Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation")
fc8f74
Signed-off-by: Phil Sutter <phil@nwl.cc>
fc8f74
Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
fc8f74
(cherry picked from commit 8e76391096f12212985c401ee83a67990aa27a29)
fc8f74
Signed-off-by: Phil Sutter <psutter@redhat.com>
fc8f74
---
fc8f74
 .../ipt-restore/0011-noflush-empty-line_0        | 16 ++++++++++++++++
fc8f74
 iptables/xtables-restore.c                       |  8 +++++---
fc8f74
 2 files changed, 21 insertions(+), 3 deletions(-)
fc8f74
 create mode 100755 iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0
fc8f74
fc8f74
diff --git a/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 b/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0
fc8f74
new file mode 100755
fc8f74
index 0000000000000..bea1a690bb624
fc8f74
--- /dev/null
fc8f74
+++ b/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0
fc8f74
@@ -0,0 +1,16 @@
fc8f74
+#!/bin/bash -e
fc8f74
+
fc8f74
+# make sure empty lines won't break --noflush
fc8f74
+
fc8f74
+cat <
fc8f74
+# just a comment followed by innocent empty line
fc8f74
+
fc8f74
+*filter
fc8f74
+-A FORWARD -j ACCEPT
fc8f74
+COMMIT
fc8f74
+EOF
fc8f74
+
fc8f74
+EXPECT='Chain FORWARD (policy ACCEPT)
fc8f74
+target     prot opt source               destination         
fc8f74
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           '
fc8f74
+diff -u <(echo "$EXPECT") <($XT_MULTI iptables -n -L FORWARD)
fc8f74
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
fc8f74
index 63cc15cee9621..fb2ac8b5c12a3 100644
fc8f74
--- a/iptables/xtables-restore.c
fc8f74
+++ b/iptables/xtables-restore.c
fc8f74
@@ -293,11 +293,13 @@ void xtables_restore_parse(struct nft_handle *h,
fc8f74
 		while (fgets(buffer, sizeof(buffer), p->in)) {
fc8f74
 			size_t blen = strlen(buffer);
fc8f74
 
fc8f74
-			/* drop trailing newline; xtables_restore_parse_line()
fc8f74
+			/* Drop trailing newline; xtables_restore_parse_line()
fc8f74
 			 * uses strtok() which replaces them by nul-characters,
fc8f74
 			 * causing unpredictable string delimiting in
fc8f74
-			 * preload_buffer */
fc8f74
-			if (buffer[blen - 1] == '\n')
fc8f74
+			 * preload_buffer.
fc8f74
+			 * Unless this is an empty line which would fold into a
fc8f74
+			 * spurious EoB indicator (double nul-char). */
fc8f74
+			if (buffer[blen - 1] == '\n' && blen > 1)
fc8f74
 				buffer[blen - 1] = '\0';
fc8f74
 			else
fc8f74
 				blen++;
fc8f74
-- 
fc8f74
2.24.1
fc8f74