[PATCH] iptables: iptables-xml: Fix various parsing bugs

[PATCH] iptables: iptables-xml: Fix various parsing bugs

[Phil Oester]

[-- Attachment #1: Type: text/plain, Size: 318 bytes --]

There are two bugs in iptables-xml do_rule_part parsing corrected by this patch:

1) Ignore "-A <chain>" instead of just "-A"
2) When checking to see if we need a <match> tag, inversion needs to be taken
   into account

This closes netfilter bugzilla #679.  

Phil

Signed-off-by: Phil Oester <kernel@linuxace.com>



[-- Attachment #2: patch-xml --]
[-- Type: text/plain, Size: 1260 bytes --]

diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
index 4b12bd4..99d7527 100644
--- a/iptables/iptables-xml.c
+++ b/iptables/iptables-xml.c
@@ -367,7 +367,8 @@ static void
 do_rule_part(char *leveltag1, char *leveltag2, int part, int argc,
 	     char *argv[], int argvattr[])
 {
-	int arg = 1;		// ignore leading -A
+	int i;
+	int arg = 2;		// ignore leading -A <chain>
 	char invert_next = 0;
 	char *spacer = "";	// space when needed to assemble arguments
 	char *level1 = NULL;
@@ -401,9 +402,14 @@ do_rule_part(char *leveltag1, char *leveltag2, int part, int argc,
 
 	/* Before we start, if the first arg is -[^-] and not -m or -j or -g 
 	   then start a dummy <match> tag for old style built-in matches.  
-	   We would do this in any case, but no need if it would be empty */
-	if (arg < argc && argv[arg][0] == '-' && !isTarget(argv[arg])
-	    && strcmp(argv[arg], "-m") != 0) {
+	   We would do this in any case, but no need if it would be empty 
+	   In the case of negation, we need to look at arg+1 */
+	if (arg < argc && strcmp(argv[arg], "!") == 0)
+		i = arg + 1;
+	else
+		i = arg;
+	if (i < argc && argv[i][0] == '-' && !isTarget(argv[i])
+	    && strcmp(argv[i], "-m") != 0) {
 		OPEN_LEVEL(1, "match");
 		printf(">\n");
 	}

Re: [PATCH] iptables: iptables-xml: Fix various parsing bugs

[Pablo Neira Ayuso]

On Thu, Jun 20, 2013 at 08:53:36AM -0400, Phil Oester wrote:
> There are two bugs in iptables-xml do_rule_part parsing corrected by this patch:
> 
> 1) Ignore "-A <chain>" instead of just "-A"
> 2) When checking to see if we need a <match> tag, inversion needs to be taken
>    into account
> 
> This closes netfilter bugzilla #679.

Applied with comestic change, thanks Phil.

> Phil
> 
> Signed-off-by: Phil Oester <kernel@linuxace.com>
> 
> 

> diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
> index 4b12bd4..99d7527 100644
> --- a/iptables/iptables-xml.c
> +++ b/iptables/iptables-xml.c
> @@ -367,7 +367,8 @@ static void
>  do_rule_part(char *leveltag1, char *leveltag2, int part, int argc,
>  	     char *argv[], int argvattr[])
>  {
> -	int arg = 1;		// ignore leading -A
> +	int i;
> +	int arg = 2;		// ignore leading -A <chain>
>  	char invert_next = 0;
>  	char *spacer = "";	// space when needed to assemble arguments
>  	char *level1 = NULL;
> @@ -401,9 +402,14 @@ do_rule_part(char *leveltag1, char *leveltag2, int part, int argc,
>  
>  	/* Before we start, if the first arg is -[^-] and not -m or -j or -g 
>  	   then start a dummy <match> tag for old style built-in matches.  
> -	   We would do this in any case, but no need if it would be empty */

We prefer this comment style (similar to kernel coding style):

/* This is a long comment ...
 * ...
 */

/* This is a short comment */

*Not your fault*, of course, that was already there, including some
trailing whitespace.

In general, I don't like patches to address comestic stuff only, I
think they generate too much noise, so I prefer that comestic stuff
gets fixed while fixing/enhancing some real thing, like in this case.