From: Patrick McHardy <kaber@trash.net>
To: "Hervé Eychenne" <rv@wallfire.org>
Cc: netfilter-devel@lists.netfilter.org
Subject: [PATCH]: fix all iptables problems with "!" (hopefully)
Date: Mon, 06 Jan 2003 09:15:10 +0100 [thread overview]
Message-ID: <3E193B0E.9030602@trash.net> (raw)
In-Reply-To: <20030106020219.GC423@comet.rv-int>
[-- Attachment #1: Type: text/plain, Size: 1237 bytes --]
Hervé Eychenne wrote:
>On Mon, Jan 06, 2003 at 03:31:07AM +0200, Costa Tsaousis wrote:
>
> Hi,
>
>
>
>>I believe I have faced another, not-mentioned-in-2002, bug:
>>[...]
>>then iptables-save gives this:
>>
>>-A OUTPUT -d ! 127.0.0.1 -p tcp -m owner --uid-owner !squid -m tcp --dport
>>80 -j DNAT --to-destination 127.0.0.1:3128
>>
>>which produces a "user '!squid' not found" error when restored.
>>
>>
>
>It seems to me that no single week passes without any post about this
>kind of error (no space before a negation) in some save output module.
>Sigh.
>I must admit it seems quite strange to me that noone in the coreteam
>didn't do that already. (hope I won't hurt anybody's feelings too
>much though) ;-)
>
>Would someone who's even more fed up than me with these recurrent
>messages have time to audit the whole bunch of existing modules in
>the CVS tree and fix this particular kind of problem _once and for all_?
>
>
>
I did, here is the (untested) patch, hopefully i didn't miss any.
I didn't change any of the "save"-functions, this patch just replaces
all uses
of optarg after check_inverse by argv[optind-1].
Regards,
Patrick
>Thanks in advance,
>
> Herve
>
>
>
[-- Attachment #2: extensions_save.diff --]
[-- Type: text/plain, Size: 10787 bytes --]
Index: extensions/libip6t_mark.c
===================================================================
RCS file: /cvspublic/netfilter/userspace/extensions/libip6t_mark.c,v
retrieving revision 1.4
diff -u -r1.4 libip6t_mark.c
--- extensions/libip6t_mark.c 29 May 2002 13:08:16 -0000 1.4
+++ extensions/libip6t_mark.c 6 Jan 2003 08:03:44 -0000
@@ -46,13 +46,13 @@
char *end;
case '1':
check_inverse(optarg, &invert, &optind, 0);
- markinfo->mark = strtoul(optarg, &end, 0);
+ markinfo->mark = strtoul(argv[optind-1], &end, 0);
if (*end == '/') {
markinfo->mask = strtoul(end+1, &end, 0);
} else
markinfo->mask = 0xffffffff;
- if (*end != '\0' || end == optarg)
- exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+ if (*end != '\0' || end == argv[optind-1])
+ exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", argv[optind-1]);
if (invert)
markinfo->invert = 1;
*flags = 1;
Index: extensions/libip6t_owner.c
===================================================================
RCS file: /cvspublic/netfilter/userspace/extensions/libip6t_owner.c,v
retrieving revision 1.4
diff -u -r1.4 libip6t_owner.c
--- extensions/libip6t_owner.c 29 May 2002 13:08:16 -0000 1.4
+++ extensions/libip6t_owner.c 6 Jan 2003 08:03:45 -0000
@@ -57,12 +57,12 @@
case '1':
check_inverse(optarg, &invert, &optind, 0);
- if ((pwd = getpwnam(optarg)))
+ if ((pwd = getpwnam(argv[optind-1])))
ownerinfo->uid = pwd->pw_uid;
else {
- ownerinfo->uid = strtoul(optarg, &end, 0);
- if (*end != '\0' || end == optarg)
- exit_error(PARAMETER_PROBLEM, "Bad OWNER UID value `%s'", optarg);
+ ownerinfo->uid = strtoul(argv[optind-1], &end, 0);
+ if (*end != '\0' || end == argv[optind-1])
+ exit_error(PARAMETER_PROBLEM, "Bad OWNER UID value `%s'", argv[optind-1]);
}
if (invert)
ownerinfo->invert |= IP6T_OWNER_UID;
@@ -72,12 +72,12 @@
case '2':
check_inverse(optarg, &invert, &optind, 0);
- if ((grp = getgrnam(optarg)))
+ if ((grp = getgrnam(argv[optind-1])))
ownerinfo->gid = grp->gr_gid;
else {
- ownerinfo->gid = strtoul(optarg, &end, 0);
- if (*end != '\0' || end == optarg)
- exit_error(PARAMETER_PROBLEM, "Bad OWNER GID value `%s'", optarg);
+ ownerinfo->gid = strtoul(argv[optind-1], &end, 0);
+ if (*end != '\0' || end == argv[optind-1])
+ exit_error(PARAMETER_PROBLEM, "Bad OWNER GID value `%s'", argv[optind-1]);
}
if (invert)
ownerinfo->invert |= IP6T_OWNER_GID;
@@ -87,9 +87,9 @@
case '3':
check_inverse(optarg, &invert, &optind, 0);
- ownerinfo->pid = strtoul(optarg, &end, 0);
- if (*end != '\0' || end == optarg)
- exit_error(PARAMETER_PROBLEM, "Bad OWNER PID value `%s'", optarg);
+ ownerinfo->pid = strtoul(argv[optind-1], &end, 0);
+ if (*end != '\0' || end == argv[optind-1])
+ exit_error(PARAMETER_PROBLEM, "Bad OWNER PID value `%s'", argv[optind-1]);
if (invert)
ownerinfo->invert |= IP6T_OWNER_PID;
ownerinfo->match |= IP6T_OWNER_PID;
@@ -98,9 +98,9 @@
case '4':
check_inverse(optarg, &invert, &optind, 0);
- ownerinfo->sid = strtoul(optarg, &end, 0);
- if (*end != '\0' || end == optarg)
- exit_error(PARAMETER_PROBLEM, "Bad OWNER SID value `%s'", optarg);
+ ownerinfo->sid = strtoul(argv[optind-1], &end, 0);
+ if (*end != '\0' || end == argv[optind-1])
+ exit_error(PARAMETER_PROBLEM, "Bad OWNER SID value `%s'", argv[optind-1]);
if (invert)
ownerinfo->invert |= IP6T_OWNER_SID;
ownerinfo->match |= IP6T_OWNER_SID;
Index: extensions/libipt_connmark.c
===================================================================
RCS file: /cvspublic/netfilter/userspace/extensions/libipt_connmark.c,v
retrieving revision 1.5
diff -u -r1.5 libipt_connmark.c
--- extensions/libipt_connmark.c 20 Sep 2002 15:25:13 -0000 1.5
+++ extensions/libipt_connmark.c 6 Jan 2003 08:03:45 -0000
@@ -46,13 +46,13 @@
char *end;
case '1':
check_inverse(optarg, &invert, &optind, 0);
- markinfo->mark = strtoul(optarg, &end, 0);
+ markinfo->mark = strtoul(argv[optind-1], &end, 0);
if (*end == '/') {
markinfo->mask = strtoul(end+1, &end, 0);
} else
markinfo->mask = 0xffffffff;
- if (*end != '\0' || end == optarg)
- exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+ if (*end != '\0' || end == argv[optind-1])
+ exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", argv[optind-1]);
if (invert)
markinfo->invert = 1;
*flags = 1;
Index: extensions/libipt_ecn.c
===================================================================
RCS file: /cvspublic/netfilter/userspace/extensions/libipt_ecn.c,v
retrieving revision 1.3
diff -u -r1.3 libipt_ecn.c
--- extensions/libipt_ecn.c 5 Aug 2002 19:35:52 -0000 1.3
+++ extensions/libipt_ecn.c 6 Jan 2003 08:03:45 -0000
@@ -80,7 +80,7 @@
einfo->invert |= IPT_ECN_OP_MATCH_IP;
*flags |= IPT_ECN_OP_MATCH_IP;
einfo->operation |= IPT_ECN_OP_MATCH_IP;
- if (string_to_number(optarg, 0, 3, &result))
+ if (string_to_number(argv[optind-1], 0, 3, &result))
exit_error(PARAMETER_PROBLEM,
"ECN match: Value out of range");
einfo->ip_ect = result;
Index: extensions/libipt_helper.c
===================================================================
RCS file: /cvspublic/netfilter/userspace/extensions/libipt_helper.c,v
retrieving revision 1.3
diff -u -r1.3 libipt_helper.c
--- extensions/libipt_helper.c 29 May 2002 13:08:16 -0000 1.3
+++ extensions/libipt_helper.c 6 Jan 2003 08:03:45 -0000
@@ -44,8 +44,8 @@
switch (c) {
case '1':
- check_inverse(optarg, &invert, &invert, 0);
- strncpy(info->name, optarg, 29);
+ check_inverse(optarg, &invert, &optind, 0);
+ strncpy(info->name, argv[optind-1], 29);
if (invert)
info->invert = 1;
*flags = 1;
Index: extensions/libipt_mark.c
===================================================================
RCS file: /cvspublic/netfilter/userspace/extensions/libipt_mark.c,v
retrieving revision 1.8
diff -u -r1.8 libipt_mark.c
--- extensions/libipt_mark.c 20 Sep 2002 15:25:13 -0000 1.8
+++ extensions/libipt_mark.c 6 Jan 2003 08:03:45 -0000
@@ -46,13 +46,13 @@
char *end;
case '1':
check_inverse(optarg, &invert, &optind, 0);
- markinfo->mark = strtoul(optarg, &end, 0);
+ markinfo->mark = strtoul(argv[optind-1], &end, 0);
if (*end == '/') {
markinfo->mask = strtoul(end+1, &end, 0);
} else
markinfo->mask = 0xffffffff;
- if (*end != '\0' || end == optarg)
- exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", optarg);
+ if (*end != '\0' || end == argv[optind-1])
+ exit_error(PARAMETER_PROBLEM, "Bad MARK value `%s'", argv[optind-1]);
if (invert)
markinfo->invert = 1;
*flags = 1;
Index: extensions/libipt_owner.c
===================================================================
RCS file: /cvspublic/netfilter/userspace/extensions/libipt_owner.c,v
retrieving revision 1.8
diff -u -r1.8 libipt_owner.c
--- extensions/libipt_owner.c 29 May 2002 13:08:16 -0000 1.8
+++ extensions/libipt_owner.c 6 Jan 2003 08:03:45 -0000
@@ -71,12 +71,12 @@
struct group *grp;
case '1':
check_inverse(optarg, &invert, &optind, 0);
- if ((pwd = getpwnam(optarg)))
+ if ((pwd = getpwnam(argv[optind-1])))
ownerinfo->uid = pwd->pw_uid;
else {
- ownerinfo->uid = strtoul(optarg, &end, 0);
- if (*end != '\0' || end == optarg)
- exit_error(PARAMETER_PROBLEM, "Bad OWNER UID value `%s'", optarg);
+ ownerinfo->uid = strtoul(argv[optind-1], &end, 0);
+ if (*end != '\0' || end == argv[optind-1])
+ exit_error(PARAMETER_PROBLEM, "Bad OWNER UID value `%s'", argv[optind-1]);
}
if (invert)
ownerinfo->invert |= IPT_OWNER_UID;
@@ -86,12 +86,12 @@
case '2':
check_inverse(optarg, &invert, &optind, 0);
- if ((grp = getgrnam(optarg)))
+ if ((grp = getgrnam(argv[optind-1])))
ownerinfo->gid = grp->gr_gid;
else {
- ownerinfo->gid = strtoul(optarg, &end, 0);
- if (*end != '\0' || end == optarg)
- exit_error(PARAMETER_PROBLEM, "Bad OWNER GID value `%s'", optarg);
+ ownerinfo->gid = strtoul(argv[optind-1], &end, 0);
+ if (*end != '\0' || end == argv[optind-1])
+ exit_error(PARAMETER_PROBLEM, "Bad OWNER GID value `%s'", argv[optind-1]);
}
if (invert)
ownerinfo->invert |= IPT_OWNER_GID;
@@ -101,9 +101,9 @@
case '3':
check_inverse(optarg, &invert, &optind, 0);
- ownerinfo->pid = strtoul(optarg, &end, 0);
- if (*end != '\0' || end == optarg)
- exit_error(PARAMETER_PROBLEM, "Bad OWNER PID value `%s'", optarg);
+ ownerinfo->pid = strtoul(argv[optind-1], &end, 0);
+ if (*end != '\0' || end == argv[optind-1])
+ exit_error(PARAMETER_PROBLEM, "Bad OWNER PID value `%s'", argv[optind-1]);
if (invert)
ownerinfo->invert |= IPT_OWNER_PID;
ownerinfo->match |= IPT_OWNER_PID;
@@ -112,9 +112,9 @@
case '4':
check_inverse(optarg, &invert, &optind, 0);
- ownerinfo->sid = strtoul(optarg, &end, 0);
- if (*end != '\0' || end == optarg)
- exit_error(PARAMETER_PROBLEM, "Bad OWNER SID value `%s'", optarg);
+ ownerinfo->sid = strtoul(argv[optind-1], &end, 0);
+ if (*end != '\0' || end == argv[optind-1])
+ exit_error(PARAMETER_PROBLEM, "Bad OWNER SID value `%s'", argv[optind-1]);
if (invert)
ownerinfo->invert |= IPT_OWNER_SID;
ownerinfo->match |= IPT_OWNER_SID;
@@ -124,10 +124,11 @@
#ifdef IPT_OWNER_COMM
case '5':
check_inverse(optarg, &invert, &optind, 0);
- if(strlen(optarg) > sizeof(ownerinfo->comm))
- exit_error(PARAMETER_PROBLEM, "OWNER CMD `%s' too long, max %d characters", optarg, sizeof(ownerinfo->comm));
+ if(strlen(argv[optind-1]) > sizeof(ownerinfo->comm))
+ exit_error(PARAMETER_PROBLEM, "OWNER CMD `%s' too long, max %d characters",
+ argv[optind-1], sizeof(ownerinfo->comm));
- strncpy(ownerinfo->comm, optarg, sizeof(ownerinfo->comm));
+ strncpy(ownerinfo->comm, argv[optind-1], sizeof(ownerinfo->comm));
if (invert)
ownerinfo->invert |= IPT_OWNER_COMM;
Index: extensions/libipt_realm.c
===================================================================
RCS file: /cvspublic/netfilter/userspace/extensions/libipt_realm.c,v
retrieving revision 1.4
diff -u -r1.4 libipt_realm.c
--- extensions/libipt_realm.c 29 May 2002 13:08:16 -0000 1.4
+++ extensions/libipt_realm.c 6 Jan 2003 08:03:45 -0000
@@ -50,13 +50,13 @@
char *end;
case '1':
check_inverse(optarg, &invert, &optind, 0);
- realminfo->id = strtoul(optarg, &end, 0);
+ realminfo->id = strtoul(argv[optind-1], &end, 0);
if (*end == '/') {
realminfo->mask = strtoul(end+1, &end, 0);
} else
realminfo->mask = 0xffffffff;
- if (*end != '\0' || end == optarg)
- exit_error(PARAMETER_PROBLEM, "Bad REALM value `%s'", optarg);
+ if (*end != '\0' || end == argv[optind-1])
+ exit_error(PARAMETER_PROBLEM, "Bad REALM value `%s'", argv[optind-1]);
if (invert)
realminfo->invert = 1;
*flags = 1;
next prev parent reply other threads:[~2003-01-06 8:15 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-06 1:31 iptables-save saves invalid negative --uid-owner expressions Costa Tsaousis
2003-01-06 2:02 ` Hervé Eychenne
2003-01-06 8:07 ` Bart De Schuymer
2003-01-06 8:15 ` Patrick McHardy [this message]
2003-01-06 12:29 ` [PATCH]: fix all iptables problems with '!' (hopefully) Costa Tsaousis
2003-01-06 15:33 ` Patrick McHardy
2003-01-07 17:15 ` Harald Welte
2003-01-07 18:53 ` Patrick McHardy
2003-01-07 20:16 ` Harald Welte
2003-01-08 18:37 ` Patrick McHardy
2003-01-06 12:34 ` iptables-save saves invalid negative --uid-owner expressions Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E193B0E.9030602@trash.net \
--to=kaber@trash.net \
--cc=netfilter-devel@lists.netfilter.org \
--cc=rv@wallfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.