From: Phil Sutter <phil@nwl.cc>
Date: Fri, 21 Jul 2023 17:40:30 +0000 (+0200)
Subject: *tables-restore: Enforce correct counters syntax if present
X-Git-Tag: v1.8.10~43
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4a2b2008fdf4df980433f99a6d8f2003f2005296;p=thirdparty%2Fiptables.git

*tables-restore: Enforce correct counters syntax if present

If '--counters' option was not given, restore parsers would ignore
anything following the policy word. Make them more strict, rejecting
anything in that spot which does not look like counter values even if
not restoring counters.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---

diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index 6f7ddf93..f11b2dc2 100644
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -283,23 +283,21 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb,
 					      xt_params->program_name, line);
 
 			if (strcmp(policy, "-") != 0) {
+				char *ctrs = strtok(NULL, " \t\n");
 				struct xt_counters count = {};
 
-				if (counters) {
-					char *ctrs;
-					ctrs = strtok(NULL, " \t\n");
-
-					if (!ctrs || !parse_counters(ctrs, &count))
-						xtables_error(PARAMETER_PROBLEM,
-							      "invalid policy counters for chain '%s'",
-							      chain);
-				}
+				if ((!ctrs && counters) ||
+				    (ctrs && !parse_counters(ctrs, &count)))
+					xtables_error(PARAMETER_PROBLEM,
+						      "invalid policy counters for chain '%s'",
+						      chain);
 
 				DEBUGP("Setting policy of chain %s to %s\n",
 					chain, policy);
 
-				if (!cb->ops->set_policy(chain, policy, &count,
-						     handle))
+				if (!cb->ops->set_policy(chain, policy,
+							 counters ? &count : NULL,
+							 handle))
 					xtables_error(OTHER_PROBLEM,
 						      "Can't set policy `%s' on `%s' line %u: %s",
 						      policy, chain, line,
diff --git a/iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0 b/iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0
index 5ac70682..854768c9 100755
--- a/iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0
+++ b/iptables/tests/shell/testcases/ipt-restore/0008-restore-counters_0
@@ -20,3 +20,10 @@ EXPECT=":foo - [0:0]
 
 $XT_MULTI iptables-restore --counters <<< "$DUMP"
 diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables-save --counters | grep foo)
+
+# if present, counters must be in proper format
+! $XT_MULTI iptables-restore <<EOF
+*filter
+:FORWARD ACCEPT bar
+COMMIT
+EOF
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index abe56374..23cd3498 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -166,19 +166,17 @@ static void xtables_restore_parse_line(struct nft_handle *h,
 				      xt_params->program_name, line);
 
 		if (nft_chain_builtin_find(state->curtable, chain)) {
-			if (counters) {
-				char *ctrs;
-				ctrs = strtok(NULL, " \t\n");
+			char *ctrs = strtok(NULL, " \t\n");
 
-				if (!ctrs || !parse_counters(ctrs, &count))
-					xtables_error(PARAMETER_PROBLEM,
-						      "invalid policy counters for chain '%s'",
-						      chain);
-
-			}
+			if ((!ctrs && counters) ||
+			    (ctrs && !parse_counters(ctrs, &count)))
+				xtables_error(PARAMETER_PROBLEM,
+					      "invalid policy counters for chain '%s'",
+					      chain);
 			if (cb->chain_set &&
 			    cb->chain_set(h, state->curtable->name,
-					  chain, policy, &count) < 0) {
+					  chain, policy,
+					  counters ? &count : NULL) < 0) {
 				xtables_error(OTHER_PROBLEM,
 					      "Can't set policy `%s' on `%s' line %u: %s",
 					      policy, chain, line,