diff options
author | Phil Sutter <phil@nwl.cc> | 2019-09-20 17:31:58 +0200 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2019-10-21 16:15:34 +0200 |
commit | 3dc433b55bbfaf9df3ee408aaa6282742f377864 (patch) | |
tree | 0e867ad01427cfc52b747064e54b7d10364666f1 /iptables/tests/shell | |
parent | 55a7558bb2c86e650809610e976e9d5192fe4e7e (diff) |
xtables-restore: Fix --table parameter check
Xtables-restore tries to reject rule commands in input which contain a
--table parameter (since it is adding this itself based on the previous
table line). The manual check was not perfect though as it caught any
parameter starting with a dash and containing a 't' somewhere, even in
rule comments:
| *filter
| -A FORWARD -m comment --comment "- allow this one" -j ACCEPT
| COMMIT
Instead of error-prone manual checking, go a much simpler route: All
do_command callbacks are passed a boolean indicating they're called from
*tables-restore. React upon this when handling a table parameter and
error out if it's not the first one.
Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'iptables/tests/shell')
-rwxr-xr-x | iptables/tests/shell/testcases/ipt-restore/0009-table-name-comment_0 | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/iptables/tests/shell/testcases/ipt-restore/0009-table-name-comment_0 b/iptables/tests/shell/testcases/ipt-restore/0009-table-name-comment_0 new file mode 100755 index 00000000..4e2202df --- /dev/null +++ b/iptables/tests/shell/testcases/ipt-restore/0009-table-name-comment_0 @@ -0,0 +1,13 @@ +#!/bin/bash + +# when restoring a ruleset, *tables-restore prefixes each rule with +# '-t <tablename>' so standard rule parsing routines may be used. This means +# that it has to detect and reject rules which already contain a table option. + +$XT_MULTI iptables-restore <<EOF +*filter +-t nat -A FORWARD -j ACCEPT +COMMIT +EOF + +[[ $? != 0 ]] || exit 1 |