Share print_ipv{4,6}_addr() from xtables

These functions contain code which occurs in legacy's print_firewall()
functions, so use them there.

Rename them to at least make clear they print more than a single
address.

Also introduce ipv{4,6}_addr_to_string() which take care of converting
an address/netmask pair into string representation in a way which
doesn't upset covscan (since that didn't detect that 'buf' may not be
exceeded by the strings written into it.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 3bd1e5fade785c956e9e1c05ac3575e5a84f2051..f5f73fe319595f6a5b060af98ddf74458c3f5638 100644 (file)
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -550,7 +550,6 @@ print_firewall(const struct ip6t_entry *fw,
 {
        struct xtables_target *target, *tg;
        const struct xt_entry_target *t;
-       char buf[BUFSIZ];
 
        if (!ip6tc_is_chain(targname, handle))
                target = xtables_find_target(targname, XTF_TRY_LOAD);
@@ -618,31 +617,7 @@ print_firewall(const struct ip6t_entry *fw,
                printf(FMT("%-6s ","out %s "), iface);
        }
 
-       fputc(fw->ipv6.invflags & IP6T_INV_SRCIP ? '!' : ' ', stdout);
-       if (!memcmp(&fw->ipv6.smsk, &in6addr_any, sizeof in6addr_any)
-           && !(format & FMT_NUMERIC))
-               printf(FMT("%-19s ","%s "), "anywhere");
-       else {
-               if (format & FMT_NUMERIC)
-                       strcpy(buf, xtables_ip6addr_to_numeric(&fw->ipv6.src));
-               else
-                       strcpy(buf, xtables_ip6addr_to_anyname(&fw->ipv6.src));
-               strcat(buf, xtables_ip6mask_to_numeric(&fw->ipv6.smsk));
-               printf(FMT("%-19s ","%s "), buf);
-       }
-
-       fputc(fw->ipv6.invflags & IP6T_INV_DSTIP ? '!' : ' ', stdout);
-       if (!memcmp(&fw->ipv6.dmsk, &in6addr_any, sizeof in6addr_any)
-           && !(format & FMT_NUMERIC))
-               printf(FMT("%-19s ","-> %s"), "anywhere");
-       else {
-               if (format & FMT_NUMERIC)
-                       strcpy(buf, xtables_ip6addr_to_numeric(&fw->ipv6.dst));
-               else
-                       strcpy(buf, xtables_ip6addr_to_anyname(&fw->ipv6.dst));
-               strcat(buf, xtables_ip6mask_to_numeric(&fw->ipv6.dmsk));
-               printf(FMT("%-19s ","-> %s"), buf);
-       }
+       print_ipv6_addresses(fw, format);
 
        if (format & FMT_NOTABLE)
                fputs("  ", stdout);

diff --git a/iptables/iptables.c b/iptables/iptables.c
index 428fae4edb463a19ca7e76358fbc51ecbf90a406..31cb97b2ee7fa64ddbf1910ab06383ae8890c985 100644 (file)
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -535,7 +535,6 @@ print_firewall(const struct ipt_entry *fw,
        struct xtables_target *target, *tg;
        const struct xt_entry_target *t;
        uint8_t flags;
-       char buf[BUFSIZ];
 
        if (!iptc_is_chain(targname, handle))
                target = xtables_find_target(targname, XTF_TRY_LOAD);
@@ -604,29 +603,7 @@ print_firewall(const struct ipt_entry *fw,
                printf(FMT("%-6s ","out %s "), iface);
        }
 
-       fputc(fw->ip.invflags & IPT_INV_SRCIP ? '!' : ' ', stdout);
-       if (fw->ip.smsk.s_addr == 0L && !(format & FMT_NUMERIC))
-               printf(FMT("%-19s ","%s "), "anywhere");
-       else {
-               if (format & FMT_NUMERIC)
-                       strcpy(buf, xtables_ipaddr_to_numeric(&fw->ip.src));
-               else
-                       strcpy(buf, xtables_ipaddr_to_anyname(&fw->ip.src));
-               strcat(buf, xtables_ipmask_to_numeric(&fw->ip.smsk));
-               printf(FMT("%-19s ","%s "), buf);
-       }
-
-       fputc(fw->ip.invflags & IPT_INV_DSTIP ? '!' : ' ', stdout);
-       if (fw->ip.dmsk.s_addr == 0L && !(format & FMT_NUMERIC))
-               printf(FMT("%-19s ","-> %s"), "anywhere");
-       else {
-               if (format & FMT_NUMERIC)
-                       strcpy(buf, xtables_ipaddr_to_numeric(&fw->ip.dst));
-               else
-                       strcpy(buf, xtables_ipaddr_to_anyname(&fw->ip.dst));
-               strcat(buf, xtables_ipmask_to_numeric(&fw->ip.dmsk));
-               printf(FMT("%-19s ","-> %s"), buf);
-       }
+       print_ipv4_addresses(fw, format);
 
        if (format & FMT_NOTABLE)
                fputs("  ", stdout);

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 2d1bd10e30aaa7056f9414c1895bb19096235c98..20ed9428425dda6d52151035476780bf895f0d8e 100644 (file)
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -255,36 +255,6 @@ static void nft_ipv4_parse_immediate(const char *jumpto, bool nft_goto,
                cs->fw.ip.flags |= IPT_F_GOTO;
 }
 
-static void print_ipv4_addr(const struct iptables_command_state *cs,
-                           unsigned int format)
-{
-       char buf[BUFSIZ];
-
-       fputc(cs->fw.ip.invflags & IPT_INV_SRCIP ? '!' : ' ', stdout);
-       if (cs->fw.ip.smsk.s_addr == 0L && !(format & FMT_NUMERIC))
-               printf(FMT("%-19s ","%s "), "anywhere");
-       else {
-               if (format & FMT_NUMERIC)
-                       strcpy(buf, xtables_ipaddr_to_numeric(&cs->fw.ip.src));
-               else
-                       strcpy(buf, xtables_ipaddr_to_anyname(&cs->fw.ip.src));
-               strcat(buf, xtables_ipmask_to_numeric(&cs->fw.ip.smsk));
-               printf(FMT("%-19s ","%s "), buf);
-       }
-
-       fputc(cs->fw.ip.invflags & IPT_INV_DSTIP ? '!' : ' ', stdout);
-       if (cs->fw.ip.dmsk.s_addr == 0L && !(format & FMT_NUMERIC))
-               printf(FMT("%-19s ","-> %s"), "anywhere");
-       else {
-               if (format & FMT_NUMERIC)
-                       strcpy(buf, xtables_ipaddr_to_numeric(&cs->fw.ip.dst));
-               else
-                       strcpy(buf, xtables_ipaddr_to_anyname(&cs->fw.ip.dst));
-               strcat(buf, xtables_ipmask_to_numeric(&cs->fw.ip.dmsk));
-               printf(FMT("%-19s ","-> %s"), buf);
-       }
-}
-
 static void print_fragment(unsigned int flags, unsigned int invflags,
                           unsigned int format)
 {
@@ -310,7 +280,7 @@ static void nft_ipv4_print_rule(struct nftnl_rule *r, unsigned int num,
        print_fragment(cs.fw.ip.flags, cs.fw.ip.invflags, format);
        print_ifaces(cs.fw.ip.iniface, cs.fw.ip.outiface, cs.fw.ip.invflags,
                     format);
-       print_ipv4_addr(&cs, format);
+       print_ipv4_addresses(&cs.fw, format);
 
        if (format & FMT_NOTABLE)
                fputs("  ", stdout);

diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index b1b20ba18d86808701e1d798f54ee11d8c85b187..1952164e199b91ebabe72b3f75cbbeb06dc3cad7 100644 (file)
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -191,43 +191,6 @@ static void nft_ipv6_parse_immediate(const char *jumpto, bool nft_goto,
                cs->fw6.ipv6.flags |= IP6T_F_GOTO;
 }
 
-static void print_ipv6_addr(const struct iptables_command_state *cs,
-                           unsigned int format)
-{
-       char buf[BUFSIZ];
-
-       fputc(cs->fw6.ipv6.invflags & IP6T_INV_SRCIP ? '!' : ' ', stdout);
-       if (IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.src)
-           && !(format & FMT_NUMERIC))
-               printf(FMT("%-19s ","%s "), "anywhere");
-       else {
-               if (format & FMT_NUMERIC)
-                       strcpy(buf,
-                              xtables_ip6addr_to_numeric(&cs->fw6.ipv6.src));
-               else
-                       strcpy(buf,
-                              xtables_ip6addr_to_anyname(&cs->fw6.ipv6.src));
-               strcat(buf, xtables_ip6mask_to_numeric(&cs->fw6.ipv6.smsk));
-               printf(FMT("%-19s ","%s "), buf);
-       }
-
-
-       fputc(cs->fw6.ipv6.invflags & IP6T_INV_DSTIP ? '!' : ' ', stdout);
-       if (IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.dst)
-           && !(format & FMT_NUMERIC))
-               printf(FMT("%-19s ","-> %s"), "anywhere");
-       else {
-               if (format & FMT_NUMERIC)
-                       strcpy(buf,
-                              xtables_ip6addr_to_numeric(&cs->fw6.ipv6.dst));
-               else
-                       strcpy(buf,
-                              xtables_ip6addr_to_anyname(&cs->fw6.ipv6.dst));
-               strcat(buf, xtables_ip6mask_to_numeric(&cs->fw6.ipv6.dmsk));
-               printf(FMT("%-19s ","-> %s"), buf);
-       }
-}
-
 static void nft_ipv6_print_rule(struct nftnl_rule *r, unsigned int num,
                                unsigned int format)
 {
@@ -245,7 +208,7 @@ static void nft_ipv6_print_rule(struct nftnl_rule *r, unsigned int num,
        }
        print_ifaces(cs.fw6.ipv6.iniface, cs.fw6.ipv6.outiface,
                     cs.fw6.ipv6.invflags, format);
-       print_ipv6_addr(&cs, format);
+       print_ipv6_addresses(&cs.fw6, format);
 
        if (format & FMT_NOTABLE)
                fputs("  ", stdout);

diff --git a/iptables/xshared.c b/iptables/xshared.c
index 492e0087379562d1f2441201b492953574e059db..d30e723254570c53fbdc79e21b6981c3cd5d8b0b 100644 (file)
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -502,3 +502,69 @@ void add_param_to_argv(char *parsestart, int line)
                param_len = 0;
        }
 }
+
+static const char *ipv4_addr_to_string(const struct in_addr *addr,
+                                      const struct in_addr *mask,
+                                      unsigned int format)
+{
+       static char buf[BUFSIZ];
+
+       if (!mask->s_addr && !(format & FMT_NUMERIC))
+               return "anywhere";
+
+       if (format & FMT_NUMERIC)
+               strncpy(buf, xtables_ipaddr_to_numeric(addr), BUFSIZ - 1);
+       else
+               strncpy(buf, xtables_ipaddr_to_anyname(addr), BUFSIZ - 1);
+       buf[BUFSIZ - 1] = '\0';
+
+       strncat(buf, xtables_ipmask_to_numeric(mask),
+               BUFSIZ - strlen(buf) - 1);
+
+       return buf;
+}
+
+void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format)
+{
+       fputc(fw->ip.invflags & IPT_INV_SRCIP ? '!' : ' ', stdout);
+       printf(FMT("%-19s ", "%s "),
+              ipv4_addr_to_string(&fw->ip.src, &fw->ip.smsk, format));
+
+       fputc(fw->ip.invflags & IPT_INV_DSTIP ? '!' : ' ', stdout);
+       printf(FMT("%-19s ", "-> %s"),
+              ipv4_addr_to_string(&fw->ip.dst, &fw->ip.dmsk, format));
+}
+
+static const char *ipv6_addr_to_string(const struct in6_addr *addr,
+                                      const struct in6_addr *mask,
+                                      unsigned int format)
+{
+       static char buf[BUFSIZ];
+
+       if (IN6_IS_ADDR_UNSPECIFIED(addr) && !(format & FMT_NUMERIC))
+               return "anywhere";
+
+       if (format & FMT_NUMERIC)
+               strncpy(buf, xtables_ip6addr_to_numeric(addr), BUFSIZ - 1);
+       else
+               strncpy(buf, xtables_ip6addr_to_anyname(addr), BUFSIZ - 1);
+       buf[BUFSIZ - 1] = '\0';
+
+       strncat(buf, xtables_ip6mask_to_numeric(mask),
+               BUFSIZ - strlen(buf) - 1);
+
+       return buf;
+}
+
+void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format)
+{
+       fputc(fw6->ipv6.invflags & IP6T_INV_SRCIP ? '!' : ' ', stdout);
+       printf(FMT("%-19s ", "%s "),
+              ipv6_addr_to_string(&fw6->ipv6.src,
+                                  &fw6->ipv6.smsk, format));
+
+       fputc(fw6->ipv6.invflags & IP6T_INV_DSTIP ? '!' : ' ', stdout);
+       printf(FMT("%-19s ", "-> %s"),
+              ipv6_addr_to_string(&fw6->ipv6.dst,
+                                  &fw6->ipv6.dmsk, format));
+}

diff --git a/iptables/xshared.h b/iptables/xshared.h
index 801d0f7564dc48137d8d05b7d344fb4a6fd141b2..cb6f761d8afa1a2a1c3266b5a9d7c10099b78578 100644 (file)
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -168,4 +168,7 @@ void free_argv(void);
 void save_argv(void);
 void add_param_to_argv(char *parsestart, int line);
 
+void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format);
+void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format);
+
 #endif /* IPTABLES_XSHARED_H */