[PATCH] iptables: iptables-xml: Fix various parsing bugs

[Phil Oester <kernel@linuxace.com>]

[-- Attachment #1: Type: text/plain, Size: 318 bytes --]

There are two bugs in iptables-xml do_rule_part parsing corrected by this patch:

1) Ignore "-A <chain>" instead of just "-A"
2) When checking to see if we need a <match> tag, inversion needs to be taken
   into account

This closes netfilter bugzilla #679.  

Phil

Signed-off-by: Phil Oester <kernel@linuxace.com>



[-- Attachment #2: patch-xml --]
[-- Type: text/plain, Size: 1260 bytes --]

diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
index 4b12bd4..99d7527 100644
--- a/iptables/iptables-xml.c
+++ b/iptables/iptables-xml.c
@@ -367,7 +367,8 @@ static void
 do_rule_part(char *leveltag1, char *leveltag2, int part, int argc,
 	     char *argv[], int argvattr[])
 {
-	int arg = 1;		// ignore leading -A
+	int i;
+	int arg = 2;		// ignore leading -A <chain>
 	char invert_next = 0;
 	char *spacer = "";	// space when needed to assemble arguments
 	char *level1 = NULL;
@@ -401,9 +402,14 @@ do_rule_part(char *leveltag1, char *leveltag2, int part, int argc,
 
 	/* Before we start, if the first arg is -[^-] and not -m or -j or -g 
 	   then start a dummy <match> tag for old style built-in matches.  
-	   We would do this in any case, but no need if it would be empty */
-	if (arg < argc && argv[arg][0] == '-' && !isTarget(argv[arg])
-	    && strcmp(argv[arg], "-m") != 0) {
+	   We would do this in any case, but no need if it would be empty 
+	   In the case of negation, we need to look at arg+1 */
+	if (arg < argc && strcmp(argv[arg], "!") == 0)
+		i = arg + 1;
+	else
+		i = arg;
+	if (i < argc && argv[i][0] == '-' && !isTarget(argv[i])
+	    && strcmp(argv[i], "-m") != 0) {
 		OPEN_LEVEL(1, "match");
 		printf(">\n");
 	}