libxt_recent: do not allow both --set and --rttl

Reported-by: Erich Schubert <erich@debian.org>
Reference: Debian bug #346034

"I was using the --rttl option in my --set line; this caused all
incoming ssh connections to be rejected; --rttl is only to be used
with --rcheck and --update."

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/extensions/libipt_recent.c b/extensions/libipt_recent.c
index 51b0d15d07ff0b13baf600cd36e58b2a93d4f5bf..108de2f53617ae5223f683b62c6662f0bf195e30 100644 (file)
--- a/extensions/libipt_recent.c
+++ b/extensions/libipt_recent.c
@@ -75,6 +75,10 @@ static void recent_init(struct xt_entry_match *match)
        info->side = IPT_RECENT_SOURCE;
 }
 
+#define RECENT_CMDS \
+       (IPT_RECENT_SET | IPT_RECENT_CHECK | \
+       IPT_RECENT_UPDATE | IPT_RECENT_REMOVE)
+
 /* Function which parses command options; returns true if it
    ate an option */
 static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
@@ -83,43 +87,47 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
        struct ipt_recent_info *info = (struct ipt_recent_info *)(*match)->data;
        switch (c) {
                case 201:
-                       if (*flags) exit_error(PARAMETER_PROBLEM,
+                       if (*flags & RECENT_CMDS)
+                               exit_error(PARAMETER_PROBLEM,
                                        "recent: only one of `--set', `--rcheck' "
                                        "`--update' or `--remove' may be set");
                        check_inverse(optarg, &invert, &optind, 0);
                        info->check_set |= IPT_RECENT_SET;
                        if (invert) info->invert = 1;
-                       *flags = 1;
+                       *flags |= IPT_RECENT_SET;
                        break;
                        
                case 202:
-                       if (*flags) exit_error(PARAMETER_PROBLEM,
+                       if (*flags & RECENT_CMDS)
+                               exit_error(PARAMETER_PROBLEM,
                                        "recent: only one of `--set', `--rcheck' "
                                        "`--update' or `--remove' may be set");
                        check_inverse(optarg, &invert, &optind, 0);
                        info->check_set |= IPT_RECENT_CHECK;
                        if(invert) info->invert = 1;
-                       *flags = 1;
+                       *flags |= IPT_RECENT_CHECK;
                        break;
 
                case 203:
-                       if (*flags) exit_error(PARAMETER_PROBLEM,
+                       if (*flags & RECENT_CMDS)
+                               exit_error(PARAMETER_PROBLEM,
                                        "recent: only one of `--set', `--rcheck' "
                                        "`--update' or `--remove' may be set");
                        check_inverse(optarg, &invert, &optind, 0);
                        info->check_set |= IPT_RECENT_UPDATE;
                        if (invert) info->invert = 1;
-                       *flags = 1;
+                       *flags |= IPT_RECENT_UPDATE;
                        break;
 
                case 206:
-                       if (*flags) exit_error(PARAMETER_PROBLEM,
+                       if (*flags & RECENT_CMDS)
+                               exit_error(PARAMETER_PROBLEM,
                                        "recent: only one of `--set', `--rcheck' "
                                        "`--update' or `--remove' may be set");
                        check_inverse(optarg, &invert, &optind, 0);
                        info->check_set |= IPT_RECENT_REMOVE;
                        if (invert) info->invert = 1;
-                       *flags = 1;
+                       *flags |= IPT_RECENT_REMOVE;
                        break;
 
                case 204:
@@ -132,6 +140,7 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
 
                case 207:
                        info->check_set |= IPT_RECENT_TTL;
+                       *flags |= IPT_RECENT_TTL;
                        break;
 
                case 208:
@@ -157,11 +166,15 @@ static int recent_parse(int c, char **argv, int invert, unsigned int *flags,
 /* Final check; must have specified a specific option. */
 static void recent_check(unsigned int flags)
 {
-
-       if (!flags)
+       if (!(flags & RECENT_CMDS))
                exit_error(PARAMETER_PROBLEM,
                        "recent: you must specify one of `--set', `--rcheck' "
                        "`--update' or `--remove'");
+       if ((flags & IPT_RECENT_TTL) &&
+           (flags & (IPT_RECENT_SET | IPT_RECENT_REMOVE | IPT_RECENT_UPDATE)))
+               exit_error(PARAMETER_PROBLEM,
+                          "recent: --rttl may only be used with --rcheck or "
+                          "--update");
 }
 
 /* Prints out the matchinfo. */