Re: [PATCH] conntrack: -L doesn't take a value, so don't discard one (same for -IUDGEFA)

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Wed, Sep 25, 2024 at 05:11:01PM +0200, Ahelenia Ziemiańska wrote:
> On Wed, Sep 25, 2024 at 04:53:49PM +0200, Pablo Neira Ayuso wrote:
> > On Tue, Sep 03, 2024 at 04:53:46PM +0200, Ahelenia Ziemiańska wrote:
> > > On Tue, Sep 03, 2024 at 10:22:09AM +0200, Pablo Neira Ayuso wrote:
> > > > On Tue, Sep 03, 2024 at 04:16:21AM +0200, Ahelenia Ziemiańska wrote:
> > > > > The manual says
> > > > >    COMMANDS
> > > > >        These options specify the particular operation to perform.
> > > > >        Only one of them can be specified at any given time.
> > > > > 
> > > > >        -L --dump
> > > > >               List connection tracking or expectation table
> > > > > 
> > > > > So, naturally, "conntrack -Lo extended" should work,
> > > > > but it doesn't, it's equivalent to "conntrack -L",
> > > > > and you need "conntrack -L -o extended".
> > > > > This violates user expectations (borne of the Utility Syntax Guidelines)
> > > > > and contradicts the manual.
> > > > > 
> > > > > optarg is unused, anyway. Unclear why any of these were :: at all?
> > > > Because this supports:
> > > >         -L
> > > >         -L conntrack
> > > >         -L expect
> > > Well that's not what :: does, though; we realise this, right?
> > > 
> > > "L::" means that getopt() will return
> > >   "-L", "conntrack" -> 'L',optarg=NULL
> > >   "-Lconntrack"     -> 'L',optarg="conntrack"
> > > and the parser for -L (&c.) doesn't... use optarg.
> > Are you sure it does not use optarg?
> > 
> > static unsigned int check_type(int argc, char *argv[])
> > {
> >         const char *table = get_optional_arg(argc, argv);
> > 
> > and get_optional_arg() uses optarg.
> 
> This I've missed, but actually my diagnosis still holds:
>   static unsigned int check_type(int argc, char *argv[])
>   {
>   	const char *table = get_optional_arg(argc, argv);
>   
>   	/* default to conntrack subsystem if nothing has been specified. */
>   	if (table == NULL)
>   		return CT_TABLE_CONNTRACK;
> 
>   static char *get_optional_arg(int argc, char *argv[])
>   {
>   	char *arg = NULL;
>   
>   	/* Nasty bug or feature in getopt_long ?
>   	 * It seems that it behaves badly with optional arguments.
>   	 * Fortunately, I just stole the fix from iptables ;) */
>   	if (optarg)
>   		return arg;
> 
> So, if you say -Lanything, then
>   optarg=anything
>   get_optional_arg=(null)
> (notice that it says "return arg;", not "return optarg;",
>  i.e. this is "return NULL").
> 
> It /doesn't/ use optarg, because it explicitly treats an optarg as no optarg.
> 
> It's unclear to me what the comment is referencing,
> but I'm assuming some sort of confusion with what :: does?
> Anyway, that if(){ can be removed now, since it can never be taken now.

The issue that I'm observing is that

# conntrack -Lconntrack

now optarg is NULL after your patch, so 'conntrack' is ignored, so it
falls back to list the conntrack table.

Then, this breaks:

# conntrack -Lexpect
conntrack v1.4.9 (conntrack-tools): Bad parameter `xpect'
Try `conntrack -h' or 'conntrack --help' for more information.

Maybe your patch needs an extension to deal with this case too?

Regarding your question, this parser is old and I shamelessly took it
from the original iptables to make syntax similar.