option: fix ignored negation before implicit extension loading

`iptables -A INPUT -p tcp ! --syn` forgot the negation, i.e. it
was not present in a subsequent `iptables -S`.

Commit v1.4.11~77^2~9 missed the fact that after autoloading a proto
extension, cs.invert must not be touched until the next getopt call.
This is now fixed by having command_default return a value to indicate
whether to jump or not.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 4df73b8d4c9001e1e2fe277a87639adf8eea3cf3..4037acfb1499a9d300035f5b6d4cadf537fae355 100644 (file)
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -1716,7 +1716,13 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
                        exit_tryhelp(2);
 
                default:
-                       command_default(&cs, &ip6tables_globals);
+                       if (command_default(&cs, &ip6tables_globals) == 1)
+                               /*
+                                * If new options were loaded, we must retry
+                                * getopt immediately and not allow
+                                * cs.invert=FALSE to be executed.
+                                */
+                               continue;
                        break;
                }
                cs.invert = FALSE;

diff --git a/iptables/iptables.c b/iptables/iptables.c
index d9c6436c9f6e69759034f76f0dc4ac95eb945d5e..4ae7541922dce7e24a7722f7bf8679511f88d6d7 100644 (file)
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -1743,7 +1743,9 @@ int do_command4(int argc, char *argv[], char **table, struct iptc_handle **handl
                        exit_tryhelp(2);
 
                default:
-                       command_default(&cs, &iptables_globals);
+                       if (command_default(&cs, &iptables_globals) == 1)
+                               /* cf. ip6tables.c */
+                               continue;
                        break;
                }
                cs.invert = FALSE;

diff --git a/iptables/xshared.c b/iptables/xshared.c
index 4651888aae375a76b968fee030d46b8b899f20b8..0e3857bb86491d3a2fee6d0e5af9b89beb674ef7 100644 (file)
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -104,8 +104,8 @@ struct xtables_match *load_proto(struct iptables_command_state *cs)
                          cs->options & OPT_NUMERIC, &cs->matches);
 }
 
-void command_default(struct iptables_command_state *cs,
-                    struct xtables_globals *gl)
+int command_default(struct iptables_command_state *cs,
+                   struct xtables_globals *gl)
 {
        struct xtables_rule_match *matchp;
        struct xtables_match *m;
@@ -116,7 +116,7 @@ void command_default(struct iptables_command_state *cs,
            cs->c < cs->target->option_offset + XT_OPTION_OFFSET_SCALE) {
                xtables_option_tpcall(cs->c, cs->argv, cs->invert,
                                      cs->target, &cs->fw);
-               return;
+               return 0;
        }
 
        for (matchp = cs->matches; matchp; matchp = matchp->next) {
@@ -129,7 +129,7 @@ void command_default(struct iptables_command_state *cs,
                    cs->c >= matchp->match->option_offset + XT_OPTION_OFFSET_SCALE)
                        continue;
                xtables_option_mpcall(cs->c, cs->argv, cs->invert, m, &cs->fw);
-               return;
+               return 0;
        }
 
        /* Try loading protocol */
@@ -161,7 +161,8 @@ void command_default(struct iptables_command_state *cs,
                if (gl->opts == NULL)
                        xtables_error(OTHER_PROBLEM, "can't alloc memory!");
                optind--;
-               return;
+               /* Indicate to rerun getopt *immediately* */
+               return 1;
        }
 
        if (cs->c == ':')
@@ -171,6 +172,7 @@ void command_default(struct iptables_command_state *cs,
                xtables_error(PARAMETER_PROBLEM, "unknown option "
                              "\"%s\"", cs->argv[optind-1]);
        xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg);
+       return 0;
 }
 
 static mainfunc_t subcmd_get(const char *cmd, const struct subcommand *cb)

diff --git a/iptables/xshared.h b/iptables/xshared.h
index d868c06ffae283e9c3ab2815d3ce36786bcecce2..b44a3a35ce4eb8ed6f496ed8fea3508842bce7f5 100644 (file)
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -77,7 +77,7 @@ enum {
 extern void print_extension_helps(const struct xtables_target *,
        const struct xtables_rule_match *);
 extern const char *proto_to_name(uint8_t, int);
-extern void command_default(struct iptables_command_state *,
+extern int command_default(struct iptables_command_state *,
        struct xtables_globals *);
 extern struct xtables_match *load_proto(struct iptables_command_state *);
 extern int subcmd_main(int, char **, const struct subcommand *);

diff --git a/tests/options-most.rules b/tests/options-most.rules
index 4cd3a87dddba8829666247fa6ea2e7619c35bc62..6c4a831347cf87ab1ec5f2ba408b10faa6a1ad30 100644 (file)
--- a/tests/options-most.rules
+++ b/tests/options-most.rules
@@ -38,6 +38,8 @@
 -A INPUT -p tcp -m recent --rcheck --name DEFAULT --rsource
 -A INPUT -p tcp -m socket --transparent
 -A INPUT -p tcp -m string --string "foobar" --algo kmp --from 1 --to 2 --icase
+-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
 -A INPUT -p tcp -m tos --tos 0xff/0x01
 -A INPUT -p tcp -m u32 --u32 "0x0=0x0" -m u32 --u32 "0x0=0x0"
 -A INPUT -p tcp -m hbh -m hbh -m hl --hl-eq 1 -m ipv6header --header hop-by-hop --soft