iptables.c changes submitted argv value

iptables.c changes submitted argv value

[Sascha]

Hi,

can anyone tell me why it's necessary to set optarg[0] in case of '!' to
'\0'?

iptables.c line 2010
---
case 1: /* non option */
	if (optarg[0] == '!' && optarg[1] == '\0') {
      	if (invert)
            	exit_error(PARAMETER_PROBLEM,
                  		"multiple consecutive ! not"
                              " allowed");
                  invert = TRUE;
----->            optarg[0] = '\0';
                  continue;
       }
     	 printf("Bad argument `%s'\n", optarg);
       exit_tryhelp(2);
---

I don't search a solution for this, only an explanation.

The Problem is i wanna build a deamon with iptables, which load's a static
ruleset on init. In case of:

---
deamon -A INPUT -m mark ! --mark 0 -j IDS
deamon -A OUTPUT -m mark ! --mark 0 -j IDS
---

... my init crashes with "Bad Argument ''", because do_command in iptables
changes my values ('!' to '\0')
for the ! in the second line (output-rule) ...

Thanks & Regards
Sascha

Re: iptables.c changes submitted argv value

[Henrik Nordstrom]

On Wed, 11 Aug 2004, Sascha wrote:

> The Problem is i wanna build a deamon with iptables, which load's a static
> ruleset on init.

The recommended method for doing this is using iptables-restore via a pipe 
from your daemon.

Regards
Henrik

RE: iptables.c changes submitted argv value

[Henrik Nordstrom]

On Thu, 12 Aug 2004, Sascha wrote:

>> The recommended method for doing this is using iptables-restore via a 
>> pipe from your daemon.
>
> That's not the point. I'm developing on an embedded device and i have no 
> space for iptables-store.c, iptables-restore.c and iptables.c.

All you need is iptables-restore. It has all functions of iptables plus 
more and is very well suited for batch or daemon operations. What 
iptables-restore is is a efficient batch interface using the same syntax 
as iptables (well, it is even the same code so..)

libiptc is considered private to iptables/iptables-save/iptables-restore 
and is not meant to be used outside these applications.

Regards
Henrik

Re: iptables.c changes submitted argv value

[Philip Craig]

Henrik Nordstrom wrote:
> On Thu, 12 Aug 2004, Sascha wrote:
>>That's not the point. I'm developing on an embedded device and i have no 
>>space for iptables-store.c, iptables-restore.c and iptables.c.
> 
> 
> All you need is iptables-restore. It has all functions of iptables plus 
> more and is very well suited for batch or daemon operations. What 
> iptables-restore is is a efficient batch interface using the same syntax 
> as iptables (well, it is even the same code so..)

You probably want to have iptables still for debugging/diagnostics.
If so, get the latest version of iptables from CVS and enable DO_MULTI.
This combines all three programs into the one binary.

-- 
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com

Re: iptables.c changes submitted argv value

[Ben Efros]

>
> You probably want to have iptables still for debugging/diagnostics.
> If so, get the latest version of iptables from CVS and enable DO_MULTI.
> This combines all three programs into the one binary.
>
Additionally if you need to save space, you can use the strip utility:

iptables    (orig)         64486 bytes
#strip -s iptables
iptables    (stripped)  56612 bytes

Yea! 87.8% of the original size!

(I used gcc 3.4.1 2004-6-11 on iptables-1.2.11 2004-8-12 snapshot)

There are a number of other ways to easily cut the size down much 
smaller and keep the same functionality.