From 5b36b6fa581ca958340ab8d40be646cae249eee4 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 23 Oct 2019 12:07:39 +0200
Subject: [PATCH 2/2] xtables-restore: Unbreak *tables-restore
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1749700
Upstream Status: iptables commit 4e470fa347610
Conflicts: Downstream does not support nft-variants.
commit 4e470fa34761085144640fb561a9ad26b2cde382
Author: Phil Sutter <phil@nwl.cc>
Date: Tue Oct 22 12:25:28 2019 +0200
xtables-restore: Unbreak *tables-restore
Commit 3dc433b55bbfa ("xtables-restore: Fix --table parameter check")
installed an error check which evaluated true in all cases as all
callers of do_command callbacks pass a pointer to a table name already.
Attached test case passed as it tested error condition only.
Fix the whole mess by introducing a boolean to indicate whether a table
parameter was seen already. Extend the test case to cover positive as
well as negative behaviour and to test ebtables-restore and
ip6tables-restore as well. Also add the required checking code to the
latter since the original commit missed it.
Fixes: 3dc433b55bbfa ("xtables-restore: Fix --table parameter check")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/ip6tables.c | 6 ++++++
iptables/iptables.c | 4 +++-
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index fc2fd37cfe919..42edf7a55ec6e 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -1316,6 +1316,7 @@ int do_command6(int argc, char *argv[], char **table,
struct xtables_rule_match *matchp;
struct xtables_target *t;
unsigned long long cnt;
+ bool table_set = false;
memset(&cs, 0, sizeof(cs));
cs.jumpto = "";
@@ -1598,7 +1599,12 @@ int do_command6(int argc, char *argv[], char **table,
if (cs.invert)
xtables_error(PARAMETER_PROBLEM,
"unexpected ! flag before --table");
+ if (restore && table_set)
+ xtables_error(PARAMETER_PROBLEM,
+ "The -t option (seen in line %u) cannot be used in %s.\n",
+ line, xt_params->program_name);
*table = optarg;
+ table_set = true;
break;
case 'x':
diff --git a/iptables/iptables.c b/iptables/iptables.c
index d106a18949407..0ad87fd98684d 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -1312,6 +1312,7 @@ int do_command4(int argc, char *argv[], char **table,
struct xtables_rule_match *matchp;
struct xtables_target *t;
unsigned long long cnt;
+ bool table_set = false;
memset(&cs, 0, sizeof(cs));
cs.jumpto = "";
@@ -1591,11 +1592,12 @@ int do_command4(int argc, char *argv[], char **table,
if (cs.invert)
xtables_error(PARAMETER_PROBLEM,
"unexpected ! flag before --table");
- if (restore && *table)
+ if (restore && table_set)
xtables_error(PARAMETER_PROBLEM,
"The -t option (seen in line %u) cannot be used in %s.\n",
line, xt_params->program_name);
*table = optarg;
+ table_set = true;
break;
case 'x':
--
2.23.0