git.ipfire.org Git - thirdparty/iptables.git/commit

author	Phil Sutter <phil@nwl.cc>
	Fri, 20 Sep 2019 15:31:58 +0000 (17:31 +0200)
committer	Phil Sutter <phil@nwl.cc>
	Mon, 21 Oct 2019 14:15:34 +0000 (16:15 +0200)
commit	3dc433b55bbfaf9df3ee408aaa6282742f377864
tree	0e867ad01427cfc52b747064e54b7d10364666f1	tree
parent	55a7558bb2c86e650809610e976e9d5192fe4e7e	commit \| diff

xtables-restore: Fix --table parameter check

Xtables-restore tries to reject rule commands in input which contain a
--table parameter (since it is adding this itself based on the previous
table line). The manual check was not perfect though as it caught any
parameter starting with a dash and containing a 't' somewhere, even in
rule comments:

| *filter
| -A FORWARD -m comment --comment "- allow this one" -j ACCEPT
| COMMIT

Instead of error-prone manual checking, go a much simpler route: All
do_command callbacks are passed a boolean indicating they're called from
*tables-restore. React upon this when handling a table parameter and
error out if it's not the first one.

Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>

iptables/iptables.c		diff \| blob \| blame \| history
iptables/tests/shell/testcases/ipt-restore/0009-table-name-comment_0	[new file with mode: 0755]	blob
iptables/xshared.c		diff \| blob \| blame \| history
iptables/xtables-eb.c		diff \| blob \| blame \| history
iptables/xtables.c		diff \| blob \| blame \| history