path: root/iptables/tests/shell/testcases/ipt-restore
diff options
authorPhil Sutter <>2019-09-20 17:31:58 +0200
committerPhil Sutter <>2019-10-21 16:15:34 +0200
commit3dc433b55bbfaf9df3ee408aaa6282742f377864 (patch)
tree0e867ad01427cfc52b747064e54b7d10364666f1 /iptables/tests/shell/testcases/ipt-restore
parent55a7558bb2c86e650809610e976e9d5192fe4e7e (diff)
xtables-restore: Fix --table parameter check
Xtables-restore tries to reject rule commands in input which contain a --table parameter (since it is adding this itself based on the previous table line). The manual check was not perfect though as it caught any parameter starting with a dash and containing a 't' somewhere, even in rule comments: | *filter | -A FORWARD -m comment --comment "- allow this one" -j ACCEPT | COMMIT Instead of error-prone manual checking, go a much simpler route: All do_command callbacks are passed a boolean indicating they're called from *tables-restore. React upon this when handling a table parameter and error out if it's not the first one. Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore") Signed-off-by: Phil Sutter <> Acked-by: Florian Westphal <>
Diffstat (limited to 'iptables/tests/shell/testcases/ipt-restore')
1 files changed, 13 insertions, 0 deletions
diff --git a/iptables/tests/shell/testcases/ipt-restore/0009-table-name-comment_0 b/iptables/tests/shell/testcases/ipt-restore/0009-table-name-comment_0
new file mode 100755
index 00000000..4e2202df
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-restore/0009-table-name-comment_0
@@ -0,0 +1,13 @@
+# when restoring a ruleset, *tables-restore prefixes each rule with
+# '-t <tablename>' so standard rule parsing routines may be used. This means
+# that it has to detect and reject rules which already contain a table option.
+$XT_MULTI iptables-restore <<EOF
+-t nat -A FORWARD -j ACCEPT
+[[ $? != 0 ]] || exit 1