* Possible bug with ip6tables hl module.
@ 2011-01-08 0:38 Steven Jan Springl
2011-01-08 1:38 ` Jan Engelhardt
0 siblings, 1 reply; 3+ messages in thread
From: Steven Jan Springl @ 2011-01-08 0:38 UTC (permalink / raw)
To: netfilter-devel
Hello
I am using ip6tables 1.4.10 and kernel 2.6.37.
If I type the following command:
ip6tables -A INPUT -m length --length 100 -m hl --hl-gt 100 -j ACCEPT
It works.
If I swap the length and hl options around:
ip6tables -A INPUT -m hl --hl-gt 100 -m length --length 100 -j ACCEPT
It fails with the following message:
ip6tables v1.4.10: Can't specify HL option twice
Steven.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Possible bug with ip6tables hl module.
2011-01-08 0:38 Possible bug with ip6tables hl module Steven Jan Springl
@ 2011-01-08 1:38 ` Jan Engelhardt
2011-01-09 21:14 ` Pablo Neira Ayuso
0 siblings, 1 reply; 3+ messages in thread
From: Jan Engelhardt @ 2011-01-08 1:38 UTC (permalink / raw)
To: Steven Jan Springl; +Cc: netfilter-devel
On Saturday 2011-01-08 01:38, Steven Jan Springl wrote:
>ip6tables -A INPUT -m hl --hl-gt 100 -m length --length 100 -j ACCEPT
>It fails with the following message:
>ip6tables v1.4.10: Can't specify HL option twice
I queued this patch (to be merged when everybody got
out of vacation, hehe):
origin git://dev.medozas.de/iptables master
parent 1dc27393b7ba401e6228a5ee2472a6eb72836c43 (v1.4.10-23-g1dc2739)
commit 1e128bd804b676ee91beca48312de9b251845d09
Author: Jan Engelhardt
Date: Sat Jan 8 02:25:28 2011 +0100
ip[6]tables: only call match's parse function when option char is in range
Normally, extensions use a "default:" case in switch(c) to just return
if they do not handle c. Apparently, libip6t_hl does that too late and
checks for hl-specific parsing state before it has established that c
refers to one of its own options.
Also affected: libipt_ttl, libxt_ipvs, libxt_policy, libxt_statistic.
One way to fix this is to move the flags checks into case '2', '3',
'4'. Doing this replication feels bad, so as an alternative, let's
just free extensions from having to deal with other extension's
options passing thru.
References: http://marc.info/?l=netfilter-devel&m=129444759532377&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
ip6tables.c | 3 +++
iptables.c | 3 +++
xshared.h | 4 ++++
xtables.c | 4 ++--
4 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/ip6tables.c b/ip6tables.c
index b8449f6..4ca4bfe 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -1714,6 +1714,9 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
if (matchp->completed ||
matchp->match->parse == NULL)
continue;
+ if (c < matchp->match->option_offset ||
+ c >= matchp->match->option_offset + XT_OPTION_OFFSET_SCALE)
+ continue;
if (matchp->match->parse(c - matchp->match->option_offset,
argv, invert,
&matchp->match->mflags,
diff --git a/iptables.c b/iptables.c
index e0efbf1..bcacd49 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1746,6 +1746,9 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
if (matchp->completed ||
matchp->match->parse == NULL)
continue;
+ if (c < matchp->match->option_offset ||
+ c >= matchp->match->option_offset + XT_OPTION_OFFSET_SCALE)
+ continue;
if (matchp->match->parse(c - matchp->match->option_offset,
argv, invert,
&matchp->match->mflags,
diff --git a/xshared.h b/xshared.h
index c53b618..e5b2a02 100644
--- a/xshared.h
+++ b/xshared.h
@@ -4,6 +4,10 @@
struct xtables_rule_match;
struct xtables_target;
+enum {
+ XT_OPTION_OFFSET_SCALE = 256,
+};
+
extern void print_extension_helps(const struct xtables_target *,
const struct xtables_rule_match *);
diff --git a/xtables.c b/xtables.c
index b630901..5b7526c 100644
--- a/xtables.c
+++ b/xtables.c
@@ -49,7 +49,7 @@
# define IP6T_SO_GET_REVISION_TARGET 69
#endif
#include <getopt.h>
-
+#include "xshared.h"
#define NPROTO 255
@@ -111,7 +111,7 @@ struct option *xtables_merge_options(struct option *orig_opts,
mp = merge + num_oold;
/* Second, the new options */
- xt_params->option_offset += 256;
+ xt_params->option_offset += XT_OPTION_OFFSET_SCALE;
*option_offset = xt_params->option_offset;
memcpy(mp, newopts, sizeof(*mp) * num_new);
--
# Created with git-export-patch
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: Possible bug with ip6tables hl module.
2011-01-08 1:38 ` Jan Engelhardt
@ 2011-01-09 21:14 ` Pablo Neira Ayuso
0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2011-01-09 21:14 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Steven Jan Springl, netfilter-devel
On 08/01/11 02:38, Jan Engelhardt wrote:
> On Saturday 2011-01-08 01:38, Steven Jan Springl wrote:
>
>> ip6tables -A INPUT -m hl --hl-gt 100 -m length --length 100 -j ACCEPT
>> It fails with the following message:
>> ip6tables v1.4.10: Can't specify HL option twice
>
> I queued this patch (to be merged when everybody got
> out of vacation, hehe):
JFYI, the fix for this is now in the git tree, it will be available in
the next iptables release.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-01-09 21:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-01-08 0:38 Possible bug with ip6tables hl module Steven Jan Springl
2011-01-08 1:38 ` Jan Engelhardt
2011-01-09 21:14 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).