*tables-restore: Enforce correct counters syntax if present

If '--counters' option was not given, restore parsers would ignore
anything following the policy word. Make them more strict, rejecting
anything in that spot which does not look like counter values even if
not restoring counters.

Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index 6f7ddf93b01bb62df9ba6607d39bad7911583747..f11b2dc2fd316ea5180c46b06c31b1ceb82400a8 100644 (file)
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -283,23 +283,21 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb,
                                              xt_params->program_name, line);
 
                        if (strcmp(policy, "-") != 0) {
+                               char *ctrs = strtok(NULL, " \t\n");
                                struct xt_counters count = {};
 
-                               if (counters) {
-                                       char *ctrs;
-                                       ctrs = strtok(NULL, " \t\n");
-
-                                       if (!ctrs || !parse_counters(ctrs, &count))
-                                               xtables_error(PARAMETER_PROBLEM,
-                                                             "invalid policy counters for chain '%s'",
-                                                             chain);
-                               }
+                               if ((!ctrs && counters) ||
+                                   (ctrs && !parse_counters(ctrs, &count)))
+                                       xtables_error(PARAMETER_PROBLEM,
+                                                     "invalid policy counters for chain '%s'",
+                                                     chain);
 
                                DEBUGP("Setting policy of chain %s to %s\n",
                                        chain, policy);
 
-                               if (!cb->ops->set_policy(chain, policy, &count,
-                                                    handle))
+                               if (!cb->ops->set_policy(chain, policy,
+                                                        counters ? &count : NULL,
+                                                        handle))
                                        xtables_error(OTHER_PROBLEM,
                                                      "Can't set policy `%s' on `%s' line %u: %s",
                                                      policy, chain, line,

diff --git a/iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0 b/iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0
index 5ac70682b76bf7d23fab856d54f38ea1242553e6..854768c96e0da1dbcf8fa0d90d1032d7cd19b16a 100755 (executable)
--- a/iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0
+++ b/iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0
@@ -20,3 +20,10 @@ EXPECT=":foo - [0:0]
 
 $XT_MULTI iptables-restore --counters <<< "$DUMP"
 diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables-save --counters | grep foo)
+
+# if present, counters must be in proper format
+! $XT_MULTI iptables-restore <<EOF
+*filter
+:FORWARD ACCEPT bar
+COMMIT
+EOF

diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index abe56374289f40a9a3763c9187816d1912afecb2..23cd349819f4f5258054901c7a5807665beacbb7 100644 (file)
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -166,19 +166,17 @@ static void xtables_restore_parse_line(struct nft_handle *h,
                                      xt_params->program_name, line);
 
                if (nft_chain_builtin_find(state->curtable, chain)) {
-                       if (counters) {
-                               char *ctrs;
-                               ctrs = strtok(NULL, " \t\n");
+                       char *ctrs = strtok(NULL, " \t\n");
 
-                               if (!ctrs || !parse_counters(ctrs, &count))
-                                       xtables_error(PARAMETER_PROBLEM,
-                                                     "invalid policy counters for chain '%s'",
-                                                     chain);
-
-                       }
+                       if ((!ctrs && counters) ||
+                           (ctrs && !parse_counters(ctrs, &count)))
+                               xtables_error(PARAMETER_PROBLEM,
+                                             "invalid policy counters for chain '%s'",
+                                             chain);
                        if (cb->chain_set &&
                            cb->chain_set(h, state->curtable->name,
-                                         chain, policy, &count) < 0) {
+                                         chain, policy,
+                                         counters ? &count : NULL) < 0) {
                                xtables_error(OTHER_PROBLEM,
                                              "Can't set policy `%s' on `%s' line %u: %s",
                                              policy, chain, line,