From: Massimiliano Hofer <max@nucleus.it>
To: netfilter-devel@lists.netfilter.org
Subject: Re: patch for iptables
Date: Tue, 22 Aug 2006 16:43:33 +0200 [thread overview]
Message-ID: <200608221643.34423.max@nucleus.it> (raw)
In-Reply-To: <200608221634.13559.max@nucleus.it>
[-- Attachment #1: Type: text/plain, Size: 343 bytes --]
On Tuesday 22 August 2006 4:34 pm, Massimiliano Hofer wrote:
> Here is a patch that uses the new include for the XT version. While I was
> at it, I updated the sanity checks in order to match the module ones.
Please disregard this patch. I uploaded a version made before a cleanup.
This is the real patch.
--
Saluti,
Massimiliano Hofer
[-- Attachment #2: iptables-1.3.5-20060820-xt_condition.patch --]
[-- Type: text/x-diff, Size: 5872 bytes --]
diff -Nru iptables-1.3.5-20060820.orig/extensions/.condition-test iptables-1.3.5-20060820/extensions/.condition-test
--- iptables-1.3.5-20060820.orig/extensions/.condition-test 2006-08-21 02:22:24.000000000 +0200
+++ iptables-1.3.5-20060820/extensions/.condition-test 2006-08-21 02:39:15.000000000 +0200
@@ -1,3 +1,3 @@
#!/bin/sh
# True if condition is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h ] && echo condition
+[ -f $KERNEL_DIR/include/linux/netfilter/xt_condition.h ] && echo condition
diff -Nru iptables-1.3.5-20060820.orig/extensions/.condition-test6 iptables-1.3.5-20060820/extensions/.condition-test6
--- iptables-1.3.5-20060820.orig/extensions/.condition-test6 2006-08-21 02:22:25.000000000 +0200
+++ iptables-1.3.5-20060820/extensions/.condition-test6 2006-08-21 02:39:27.000000000 +0200
@@ -1,3 +1,3 @@
#!/bin/sh
# True if condition6 is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_condition.h ] && echo condition
+[ -f $KERNEL_DIR/include/linux/netfilter/xt_condition.h ] && echo condition
diff -Nru iptables-1.3.5-20060820.orig/extensions/libip6t_condition.c iptables-1.3.5-20060820/extensions/libip6t_condition.c
--- iptables-1.3.5-20060820.orig/extensions/libip6t_condition.c 2006-08-21 02:22:25.000000000 +0200
+++ iptables-1.3.5-20060820/extensions/libip6t_condition.c 2006-08-21 03:24:13.000000000 +0200
@@ -5,8 +5,7 @@
#include <getopt.h>
#include <ip6tables.h>
-#include<linux/netfilter_ipv6/ip6_tables.h>
-#include<linux/netfilter_ipv6/ip6t_condition.h>
+#include<linux/netfilter/xt_condition.h>
static void
@@ -29,8 +28,12 @@
const struct ip6t_entry *entry, unsigned int *nfcache,
struct ip6t_entry_match **match)
{
- struct condition6_info *info =
- (struct condition6_info *) (*match)->data;
+ static const char * const forbidden_names[]={ "", ".", ".." };
+ const char *name;
+ int i;
+
+ struct condition_info *info =
+ (struct condition_info *) (*match)->data;
if (c == 'X') {
if (*flags)
@@ -39,12 +42,26 @@
check_inverse(optarg, &invert, &optind, 0);
- if (strlen(argv[optind - 1]) < CONDITION6_NAME_LEN)
- strcpy(info->name, argv[optind - 1]);
- else
+ name = argv[optind - 1];
+ /* We don't want a '/' in a proc file name. */
+ for (i=0; i < CONDITION_NAME_LEN && name[i] != '\0'; i++)
+ if (name[i] == '/')
+ exit_error(PARAMETER_PROBLEM,
+ "Can't have a '/' in a condition name");
+
+ /* We can't handle file names longer than CONDITION_NAME_LEN and */
+ /* we want a NULL terminated string. */
+ if (i == CONDITION_NAME_LEN)
exit_error(PARAMETER_PROBLEM,
"File name too long");
+ /* We don't want certain reserved names. */
+ for (i=0; i < sizeof(forbidden_names)/sizeof(char *); i++)
+ if(strcmp(name, forbidden_names[i])==0)
+ exit_error(PARAMETER_PROBLEM,
+ "Forbidden condition name");
+
+ strcpy(info->name, name);
info->invert = invert;
*flags = 1;
return 1;
@@ -67,8 +84,8 @@
print(const struct ip6t_ip6 *ip,
const struct ip6t_entry_match *match, int numeric)
{
- const struct condition6_info *info =
- (const struct condition6_info *) match->data;
+ const struct condition_info *info =
+ (const struct condition_info *) match->data;
printf("condition %s%s ", (info->invert) ? "!" : "", info->name);
}
@@ -78,8 +95,8 @@
save(const struct ip6t_ip6 *ip,
const struct ip6t_entry_match *match)
{
- const struct condition6_info *info =
- (const struct condition6_info *) match->data;
+ const struct condition_info *info =
+ (const struct condition_info *) match->data;
printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name);
}
@@ -88,8 +105,8 @@
static struct ip6tables_match condition = {
.name = "condition",
.version = IPTABLES_VERSION,
- .size = IP6T_ALIGN(sizeof(struct condition6_info)),
- .userspacesize = IP6T_ALIGN(sizeof(struct condition6_info)),
+ .size = IP6T_ALIGN(sizeof(struct condition_info)),
+ .userspacesize = IP6T_ALIGN(sizeof(struct condition_info)),
.help = &help,
.parse = &parse,
.final_check = &final_check,
diff -Nru iptables-1.3.5-20060820.orig/extensions/libipt_condition.c iptables-1.3.5-20060820/extensions/libipt_condition.c
--- iptables-1.3.5-20060820.orig/extensions/libipt_condition.c 2006-08-21 02:22:24.000000000 +0200
+++ iptables-1.3.5-20060820/extensions/libipt_condition.c 2006-08-21 03:18:01.000000000 +0200
@@ -5,8 +5,7 @@
#include <getopt.h>
#include <iptables.h>
-#include<linux/netfilter_ipv4/ip_tables.h>
-#include<linux/netfilter_ipv4/ipt_condition.h>
+#include<linux/netfilter/xt_condition.h>
static void
@@ -29,6 +28,10 @@
const struct ipt_entry *entry, unsigned int *nfcache,
struct ipt_entry_match **match)
{
+ static const char * const forbidden_names[]={ "", ".", ".." };
+ const char *name;
+ int i;
+
struct condition_info *info =
(struct condition_info *) (*match)->data;
@@ -39,12 +42,26 @@
check_inverse(optarg, &invert, &optind, 0);
- if (strlen(argv[optind - 1]) < CONDITION_NAME_LEN)
- strcpy(info->name, argv[optind - 1]);
- else
+ name = argv[optind - 1];
+ /* We don't want a '/' in a proc file name. */
+ for (i=0; i < CONDITION_NAME_LEN && name[i] != '\0'; i++)
+ if (name[i] == '/')
+ exit_error(PARAMETER_PROBLEM,
+ "Can't have a '/' in a condition name");
+
+ /* We can't handle file names longer than CONDITION_NAME_LEN and */
+ /* we want a NULL terminated string. */
+ if (i == CONDITION_NAME_LEN)
exit_error(PARAMETER_PROBLEM,
"File name too long");
+ /* We don't want certain reserved names. */
+ for (i=0; i < sizeof(forbidden_names)/sizeof(char *); i++)
+ if(strcmp(name, forbidden_names[i])==0)
+ exit_error(PARAMETER_PROBLEM,
+ "Forbidden condition name");
+
+ strcpy(info->name, name);
info->invert = invert;
*flags = 1;
return 1;
next prev parent reply other threads:[~2006-08-22 14:43 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-22 14:34 patch for iptables Massimiliano Hofer
2006-08-22 14:43 ` Massimiliano Hofer [this message]
2006-08-22 14:53 ` Pablo Neira Ayuso
2006-08-22 14:57 ` Massimiliano Hofer
2006-09-25 15:56 ` Massimiliano Hofer
2006-09-25 23:25 ` Pablo Neira Ayuso
2006-09-26 11:23 ` Massimiliano Hofer
[not found] <19c1b8a90804291101x4544818agde26a61a02036c32@mail.gmail.com>
2008-06-03 23:27 ` Patch " Yasuyuki KOZAKAI
2008-06-04 13:17 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200608221643.34423.max@nucleus.it \
--to=max@nucleus.it \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.