* [PATCH] multiport does not support invert
@ 2004-09-17 22:10 Phil Oester
2004-09-18 17:44 ` Patrick McHardy
0 siblings, 1 reply; 2+ messages in thread
From: Phil Oester @ 2004-09-17 22:10 UTC (permalink / raw)
To: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 459 bytes --]
A few weeks back I submitted a patch to document the invert option
of multiport, without noticing that it doesn't actually support invert.
I've looked at it, and it is a compatibility nightmare to try to add
support for it while still supporting old kernel/userspace.
So, here's a patch to throw an error on this:
iptables -A FORWARD -m multiport -p tcp ! --dport 1,2,3 -j DROP
instead of silently accepting it and potentially causing issues.
Phil
[-- Attachment #2: patch-mportinvert --]
[-- Type: text/plain, Size: 3808 bytes --]
diff -ru ipt-orig/extensions/libip6t_multiport.c ipt-new/extensions/libip6t_multiport.c
--- ipt-orig/extensions/libip6t_multiport.c 2003-07-14 13:01:29.000000000 -0700
+++ ipt-new/extensions/libip6t_multiport.c 2004-09-17 14:55:12.742905519 -0700
@@ -115,6 +115,7 @@
proto = check_proto(entry);
multiinfo->count = parse_multi_ports(argv[optind-1],
multiinfo->ports, proto);
+ check_inverse(optarg, &invert, &optind, 0);
multiinfo->flags = IP6T_MULTIPORT_SOURCE;
*nfcache |= NFC_IP6_SRC_PT;
break;
@@ -123,6 +124,7 @@
proto = check_proto(entry);
multiinfo->count = parse_multi_ports(argv[optind-1],
multiinfo->ports, proto);
+ check_inverse(optarg, &invert, &optind, 0);
multiinfo->flags = IP6T_MULTIPORT_DESTINATION;
*nfcache |= NFC_IP6_DST_PT;
break;
@@ -131,6 +133,7 @@
proto = check_proto(entry);
multiinfo->count = parse_multi_ports(argv[optind-1],
multiinfo->ports, proto);
+ check_inverse(optarg, &invert, &optind, 0);
multiinfo->flags = IP6T_MULTIPORT_EITHER;
*nfcache |= NFC_IP6_SRC_PT | NFC_IP6_DST_PT;
break;
@@ -139,6 +142,10 @@
return 0;
}
+ if (invert)
+ exit_error(PARAMETER_PROBLEM,
+ "multiport does not support invert");
+
if (*flags)
exit_error(PARAMETER_PROBLEM,
"multiport can only have one option");
diff -ru ipt-orig/extensions/libipt_mport.c ipt-new/extensions/libipt_mport.c
--- ipt-orig/extensions/libipt_mport.c 2003-07-14 13:01:29.000000000 -0700
+++ ipt-new/extensions/libipt_mport.c 2004-09-17 14:56:23.797364198 -0700
@@ -139,6 +139,7 @@
proto = check_proto(entry);
parse_multi_ports(argv[optind-1], minfo, proto);
minfo->flags = IPT_MPORT_SOURCE;
+ check_inverse(optarg, &invert, &optind, 0);
*nfcache |= NFC_IP_SRC_PT;
break;
@@ -146,6 +147,7 @@
proto = check_proto(entry);
parse_multi_ports(argv[optind-1], minfo, proto);
minfo->flags = IPT_MPORT_DESTINATION;
+ check_inverse(optarg, &invert, &optind, 0);
*nfcache |= NFC_IP_DST_PT;
break;
@@ -153,6 +155,7 @@
proto = check_proto(entry);
parse_multi_ports(argv[optind-1], minfo, proto);
minfo->flags = IPT_MPORT_EITHER;
+ check_inverse(optarg, &invert, &optind, 0);
*nfcache |= NFC_IP_SRC_PT | NFC_IP_DST_PT;
break;
@@ -160,6 +163,10 @@
return 0;
}
+ if (invert)
+ exit_error(PARAMETER_PROBLEM,
+ "multiport does not support invert");
+
if (*flags)
exit_error(PARAMETER_PROBLEM,
"multiport can only have one option");
diff -ru ipt-orig/extensions/libipt_multiport.c ipt-new/extensions/libipt_multiport.c
--- ipt-orig/extensions/libipt_multiport.c 2003-07-14 13:01:29.000000000 -0700
+++ ipt-new/extensions/libipt_multiport.c 2004-09-17 14:51:55.374634873 -0700
@@ -115,6 +115,7 @@
proto = check_proto(entry);
multiinfo->count = parse_multi_ports(argv[optind-1],
multiinfo->ports, proto);
+ check_inverse(optarg, &invert, &optind, 0);
multiinfo->flags = IPT_MULTIPORT_SOURCE;
*nfcache |= NFC_IP_SRC_PT;
break;
@@ -123,6 +124,7 @@
proto = check_proto(entry);
multiinfo->count = parse_multi_ports(argv[optind-1],
multiinfo->ports, proto);
+ check_inverse(optarg, &invert, &optind, 0);
multiinfo->flags = IPT_MULTIPORT_DESTINATION;
*nfcache |= NFC_IP_DST_PT;
break;
@@ -131,6 +133,7 @@
proto = check_proto(entry);
multiinfo->count = parse_multi_ports(argv[optind-1],
multiinfo->ports, proto);
+ check_inverse(optarg, &invert, &optind, 0);
multiinfo->flags = IPT_MULTIPORT_EITHER;
*nfcache |= NFC_IP_SRC_PT | NFC_IP_DST_PT;
break;
@@ -139,6 +142,10 @@
return 0;
}
+ if (invert)
+ exit_error(PARAMETER_PROBLEM,
+ "multiport does not support invert");
+
if (*flags)
exit_error(PARAMETER_PROBLEM,
"multiport can only have one option");
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: [PATCH] multiport does not support invert
2004-09-17 22:10 [PATCH] multiport does not support invert Phil Oester
@ 2004-09-18 17:44 ` Patrick McHardy
0 siblings, 0 replies; 2+ messages in thread
From: Patrick McHardy @ 2004-09-18 17:44 UTC (permalink / raw)
To: Phil Oester; +Cc: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 1206 bytes --]
Phil Oester wrote:
>A few weeks back I submitted a patch to document the invert option
>of multiport, without noticing that it doesn't actually support invert.
>I've looked at it, and it is a compatibility nightmare to try to add
>support for it while still supporting old kernel/userspace.
>
>So, here's a patch to throw an error on this:
>
> iptables -A FORWARD -m multiport -p tcp ! --dport 1,2,3 -j DROP
>
>instead of silently accepting it and potentially causing issues.
>
Thanks, but your patch doesn't catch all cases:
# iptables -p tcp -m multiport ! --port 1
iptables v1.3.0: multiport does not support invert
Try `iptables -h' or 'iptables --help' for more information.
# iptables -p tcp -m multiport --port ! 1
iptables v1.3.0: invalid port/service `!' specified
Try `iptables -h' or 'iptables --help' for more information.
I've applied this patch, which gives:
# iptables -p tcp -m multiport ! --port 1
iptables v1.3.0: multiport does not support invert
Try `iptables -h' or 'iptables --help' for more information.
# iptables -p tcp -m multiport --port ! 1
iptables v1.3.0: multiport does not support invert
Try `iptables -h' or 'iptables --help' for more information.
Regards
Patrick
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 3623 bytes --]
Index: extensions/libip6t_multiport.c
===================================================================
RCS file: /cvsroot/iptables/extensions/libip6t_multiport.c,v
retrieving revision 1.5
diff -u -r1.5 libip6t_multiport.c
--- extensions/libip6t_multiport.c 14 Jul 2003 20:01:29 -0000 1.5
+++ extensions/libip6t_multiport.c 18 Sep 2004 17:41:47 -0000
@@ -112,6 +112,7 @@
switch (c) {
case '1':
+ check_inverse(argv[optind-1], &invert, &optind, 0);
proto = check_proto(entry);
multiinfo->count = parse_multi_ports(argv[optind-1],
multiinfo->ports, proto);
@@ -120,6 +121,7 @@
break;
case '2':
+ check_inverse(argv[optind-1], &invert, &optind, 0);
proto = check_proto(entry);
multiinfo->count = parse_multi_ports(argv[optind-1],
multiinfo->ports, proto);
@@ -128,6 +130,7 @@
break;
case '3':
+ check_inverse(argv[optind-1], &invert, &optind, 0);
proto = check_proto(entry);
multiinfo->count = parse_multi_ports(argv[optind-1],
multiinfo->ports, proto);
@@ -138,6 +141,10 @@
default:
return 0;
}
+
+ if (invert)
+ exit_error(PARAMETER_PROBLEM,
+ "multiport does not support invert");
if (*flags)
exit_error(PARAMETER_PROBLEM,
Index: extensions/libipt_mport.c
===================================================================
RCS file: /cvsroot/iptables/extensions/libipt_mport.c,v
retrieving revision 1.6
diff -u -r1.6 libipt_mport.c
--- extensions/libipt_mport.c 14 Jul 2003 20:01:29 -0000 1.6
+++ extensions/libipt_mport.c 18 Sep 2004 17:41:48 -0000
@@ -136,6 +136,7 @@
switch (c) {
case '1':
+ check_inverse(argv[optind-1], &invert, &optind, 0);
proto = check_proto(entry);
parse_multi_ports(argv[optind-1], minfo, proto);
minfo->flags = IPT_MPORT_SOURCE;
@@ -143,6 +144,7 @@
break;
case '2':
+ check_inverse(argv[optind-1], &invert, &optind, 0);
proto = check_proto(entry);
parse_multi_ports(argv[optind-1], minfo, proto);
minfo->flags = IPT_MPORT_DESTINATION;
@@ -150,6 +152,7 @@
break;
case '3':
+ check_inverse(argv[optind-1], &invert, &optind, 0);
proto = check_proto(entry);
parse_multi_ports(argv[optind-1], minfo, proto);
minfo->flags = IPT_MPORT_EITHER;
@@ -159,6 +162,10 @@
default:
return 0;
}
+
+ if (invert)
+ exit_error(PARAMETER_PROBLEM,
+ "multiport does not support invert");
if (*flags)
exit_error(PARAMETER_PROBLEM,
Index: extensions/libipt_multiport.c
===================================================================
RCS file: /cvsroot/iptables/extensions/libipt_multiport.c,v
retrieving revision 1.7
diff -u -r1.7 libipt_multiport.c
--- extensions/libipt_multiport.c 14 Jul 2003 20:01:29 -0000 1.7
+++ extensions/libipt_multiport.c 18 Sep 2004 17:41:48 -0000
@@ -112,6 +112,7 @@
switch (c) {
case '1':
+ check_inverse(argv[optind-1], &invert, &optind, 0);
proto = check_proto(entry);
multiinfo->count = parse_multi_ports(argv[optind-1],
multiinfo->ports, proto);
@@ -120,6 +121,7 @@
break;
case '2':
+ check_inverse(argv[optind-1], &invert, &optind, 0);
proto = check_proto(entry);
multiinfo->count = parse_multi_ports(argv[optind-1],
multiinfo->ports, proto);
@@ -128,6 +130,7 @@
break;
case '3':
+ check_inverse(argv[optind-1], &invert, &optind, 0);
proto = check_proto(entry);
multiinfo->count = parse_multi_ports(argv[optind-1],
multiinfo->ports, proto);
@@ -138,6 +141,10 @@
default:
return 0;
}
+
+ if (invert)
+ exit_error(PARAMETER_PROBLEM,
+ "multiport does not support invert");
if (*flags)
exit_error(PARAMETER_PROBLEM,
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-09-18 17:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-17 22:10 [PATCH] multiport does not support invert Phil Oester
2004-09-18 17:44 ` Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.