diff options
author | Phil Oester <kernel@linuxace.com> | 2013-06-20 08:53:36 -0400 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-07-26 16:36:20 +0200 |
commit | 68cecd598f55f58a1ae2132cdfb0b5e0a52cae1f (patch) | |
tree | 631e2578c867e398b0d939b26727c4056277205d | |
parent | c18f2ce7f61c7e7ae3bd207ef6337a1be0c7aff3 (diff) |
iptables: iptables-xml: Fix various parsing bugs
There are two bugs in iptables-xml do_rule_part parsing corrected by this patch:
1) Ignore "-A <chain>" instead of just "-A"
2) When checking to see if we need a <match> tag, inversion needs to be taken
into account
This closes netfilter bugzilla #679.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | iptables/iptables-xml.c | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c index 4b12bd46..e272ef91 100644 --- a/iptables/iptables-xml.c +++ b/iptables/iptables-xml.c @@ -367,7 +367,8 @@ static void do_rule_part(char *leveltag1, char *leveltag2, int part, int argc, char *argv[], int argvattr[]) { - int arg = 1; // ignore leading -A + int i; + int arg = 2; // ignore leading -A <chain> char invert_next = 0; char *spacer = ""; // space when needed to assemble arguments char *level1 = NULL; @@ -399,11 +400,17 @@ do_rule_part(char *leveltag1, char *leveltag2, int part, int argc, arg++; } - /* Before we start, if the first arg is -[^-] and not -m or -j or -g - then start a dummy <match> tag for old style built-in matches. - We would do this in any case, but no need if it would be empty */ - if (arg < argc && argv[arg][0] == '-' && !isTarget(argv[arg]) - && strcmp(argv[arg], "-m") != 0) { + /* Before we start, if the first arg is -[^-] and not -m or -j or -g + * then start a dummy <match> tag for old style built-in matches. + * We would do this in any case, but no need if it would be empty. + * In the case of negation, we need to look at arg+1 + */ + if (arg < argc && strcmp(argv[arg], "!") == 0) + i = arg + 1; + else + i = arg; + if (i < argc && argv[i][0] == '-' && !isTarget(argv[i]) + && strcmp(argv[i], "-m") != 0) { OPEN_LEVEL(1, "match"); printf(">\n"); } |