Make '-p all' a special case that is handled before calling getprotoent() (Closes...

diff --git a/ip6tables.c b/ip6tables.c
index e2c514e2eee7507b8c1edaf27168daeb9360bba2..9396d034c1c88d30b2e4d88fe9821ec79f094470 100644 (file)
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -224,7 +224,6 @@ static const struct pprot chain_protos[] = {
        { "icmpv6", IPPROTO_ICMPV6 },
        { "esp", IPPROTO_ESP },
        { "ah", IPPROTO_AH },
-       { "all", 0 },
 };
 
 static char *
@@ -808,6 +807,13 @@ parse_protocol(const char *s)
        if (string_to_number(s, 0, 255, &proto) == -1) {
                struct protoent *pent;
 
+               /* first deal with the special case of 'all' to prevent
+                * people from being able to redefine 'all' in nsswitch
+                * and/or provoke expensive [not working] ldap/nis/... 
+                * lookups */
+               if (!strcmp(s, "all"))
+                       return 0;
+
                if ((pent = getprotobyname(s)))
                        proto = pent->p_proto;
                else {

diff --git a/iptables.c b/iptables.c
index b66e5e1b6f577a7a26b5a606cf1630d1b0f6c358..c8ab71ec4fddb113984bd022489073c6168b7017 100644 (file)
--- a/iptables.c
+++ b/iptables.c
@@ -229,7 +229,6 @@ static const struct pprot chain_protos[] = {
        { "esp", IPPROTO_ESP },
        { "ah", IPPROTO_AH },
        { "sctp", IPPROTO_SCTP },
-       { "all", 0 },
 };
 
 static char *
@@ -756,6 +755,13 @@ parse_protocol(const char *s)
        if (string_to_number(s, 0, 255, &proto) == -1) {
                struct protoent *pent;
 
+               /* first deal with the special case of 'all' to prevent
+                * people from being able to redefine 'all' in nsswitch
+                * and/or provoke expensive [not working] ldap/nis/... 
+                * lookups */
+               if (!strcmp(s, "all"))
+                       return 0;
+
                if ((pent = getprotobyname(s)))
                        proto = pent->p_proto;
                else {