|
|
7d381e |
From bcf1d6cb8bd521c716ae38dd08ee52d267cfa25e Mon Sep 17 00:00:00 2001
|
|
|
7d381e |
From: Phil Sutter <psutter@redhat.com>
|
|
|
7d381e |
Date: Wed, 23 Oct 2019 12:06:55 +0200
|
|
|
7d381e |
Subject: [PATCH 1/2] xtables-restore: Fix --table parameter check
|
|
|
7d381e |
|
|
|
7d381e |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1749700
|
|
|
7d381e |
Upstream Status: iptables commit 3dc433b55bbfa
|
|
|
7d381e |
Conflicts: Downstream does not support nft-variants.
|
|
|
7d381e |
|
|
|
7d381e |
commit 3dc433b55bbfaf9df3ee408aaa6282742f377864
|
|
|
7d381e |
Author: Phil Sutter <phil@nwl.cc>
|
|
|
7d381e |
Date: Fri Sep 20 17:31:58 2019 +0200
|
|
|
7d381e |
|
|
|
7d381e |
xtables-restore: Fix --table parameter check
|
|
|
7d381e |
|
|
|
7d381e |
Xtables-restore tries to reject rule commands in input which contain a
|
|
|
7d381e |
--table parameter (since it is adding this itself based on the previous
|
|
|
7d381e |
table line). The manual check was not perfect though as it caught any
|
|
|
7d381e |
parameter starting with a dash and containing a 't' somewhere, even in
|
|
|
7d381e |
rule comments:
|
|
|
7d381e |
|
|
|
7d381e |
| *filter
|
|
|
7d381e |
| -A FORWARD -m comment --comment "- allow this one" -j ACCEPT
|
|
|
7d381e |
| COMMIT
|
|
|
7d381e |
|
|
|
7d381e |
Instead of error-prone manual checking, go a much simpler route: All
|
|
|
7d381e |
do_command callbacks are passed a boolean indicating they're called from
|
|
|
7d381e |
*tables-restore. React upon this when handling a table parameter and
|
|
|
7d381e |
error out if it's not the first one.
|
|
|
7d381e |
|
|
|
7d381e |
Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore")
|
|
|
7d381e |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
7d381e |
Acked-by: Florian Westphal <fw@strlen.de>
|
|
|
7d381e |
|
|
|
7d381e |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
7d381e |
---
|
|
|
7d381e |
iptables/iptables.c | 4 ++++
|
|
|
7d381e |
iptables/xshared.c | 12 ------------
|
|
|
7d381e |
2 files changed, 4 insertions(+), 12 deletions(-)
|
|
|
7d381e |
|
|
|
7d381e |
diff --git a/iptables/iptables.c b/iptables/iptables.c
|
|
|
7d381e |
index dc70cc6e9b0ec..d106a18949407 100644
|
|
|
7d381e |
--- a/iptables/iptables.c
|
|
|
7d381e |
+++ b/iptables/iptables.c
|
|
|
7d381e |
@@ -1591,6 +1591,10 @@ int do_command4(int argc, char *argv[], char **table,
|
|
|
7d381e |
if (cs.invert)
|
|
|
7d381e |
xtables_error(PARAMETER_PROBLEM,
|
|
|
7d381e |
"unexpected ! flag before --table");
|
|
|
7d381e |
+ if (restore && *table)
|
|
|
7d381e |
+ xtables_error(PARAMETER_PROBLEM,
|
|
|
7d381e |
+ "The -t option (seen in line %u) cannot be used in %s.\n",
|
|
|
7d381e |
+ line, xt_params->program_name);
|
|
|
7d381e |
*table = optarg;
|
|
|
7d381e |
break;
|
|
|
7d381e |
|
|
|
7d381e |
diff --git a/iptables/xshared.c b/iptables/xshared.c
|
|
|
7d381e |
index 84dbea562576e..058b5e8b63896 100644
|
|
|
7d381e |
--- a/iptables/xshared.c
|
|
|
7d381e |
+++ b/iptables/xshared.c
|
|
|
7d381e |
@@ -513,18 +513,6 @@ void add_param_to_argv(char *parsestart, int line)
|
|
|
7d381e |
}
|
|
|
7d381e |
|
|
|
7d381e |
param_buffer[param_len] = '\0';
|
|
|
7d381e |
-
|
|
|
7d381e |
- /* check if table name specified */
|
|
|
7d381e |
- if ((param_buffer[0] == '-' &&
|
|
|
7d381e |
- param_buffer[1] != '-' &&
|
|
|
7d381e |
- strchr(param_buffer, 't')) ||
|
|
|
7d381e |
- (!strncmp(param_buffer, "--t", 3) &&
|
|
|
7d381e |
- !strncmp(param_buffer, "--table", strlen(param_buffer)))) {
|
|
|
7d381e |
- xtables_error(PARAMETER_PROBLEM,
|
|
|
7d381e |
- "The -t option (seen in line %u) cannot be used in %s.\n",
|
|
|
7d381e |
- line, xt_params->program_name);
|
|
|
7d381e |
- }
|
|
|
7d381e |
-
|
|
|
7d381e |
add_argv(param_buffer, 0);
|
|
|
7d381e |
param_len = 0;
|
|
|
7d381e |
}
|
|
|
7d381e |
--
|
|
|
7d381e |
2.23.0
|
|
|
7d381e |
|