path: root/iptables/xtables-eb.c
diff options
authorPhil Sutter <>2019-09-20 17:31:58 +0200
committerPhil Sutter <>2019-10-21 16:15:34 +0200
commit3dc433b55bbfaf9df3ee408aaa6282742f377864 (patch)
tree0e867ad01427cfc52b747064e54b7d10364666f1 /iptables/xtables-eb.c
parent55a7558bb2c86e650809610e976e9d5192fe4e7e (diff)
xtables-restore: Fix --table parameter check
Xtables-restore tries to reject rule commands in input which contain a --table parameter (since it is adding this itself based on the previous table line). The manual check was not perfect though as it caught any parameter starting with a dash and containing a 't' somewhere, even in rule comments: | *filter | -A FORWARD -m comment --comment "- allow this one" -j ACCEPT | COMMIT Instead of error-prone manual checking, go a much simpler route: All do_command callbacks are passed a boolean indicating they're called from *tables-restore. React upon this when handling a table parameter and error out if it's not the first one. Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore") Signed-off-by: Phil Sutter <> Acked-by: Florian Westphal <>
Diffstat (limited to 'iptables/xtables-eb.c')
1 files changed, 4 insertions, 0 deletions
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 3b03daef..aa754d79 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -947,6 +947,10 @@ print_zero:
case 't': /* Table */
ebt_check_option2(&flags, OPT_TABLE);
+ if (restore && *table)
+ xtables_error(PARAMETER_PROBLEM,
+ "The -t option (seen in line %u) cannot be used in %s.\n",
+ line, xt_params->program_name);
if (strlen(optarg) > EBT_TABLE_MAXNAMELEN - 1)
"Table name length cannot exceed %d characters",