From 68cecd598f55f58a1ae2132cdfb0b5e0a52cae1f Mon Sep 17 00:00:00 2001 From: Phil Oester Date: Thu, 20 Jun 2013 08:53:36 -0400 Subject: iptables: iptables-xml: Fix various parsing bugs There are two bugs in iptables-xml do_rule_part parsing corrected by this patch: 1) Ignore "-A " instead of just "-A" 2) When checking to see if we need a tag, inversion needs to be taken into account This closes netfilter bugzilla #679. Signed-off-by: Phil Oester Signed-off-by: Pablo Neira Ayuso --- iptables/iptables-xml.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c index 4b12bd46..e272ef91 100644 --- a/iptables/iptables-xml.c +++ b/iptables/iptables-xml.c @@ -367,7 +367,8 @@ static void do_rule_part(char *leveltag1, char *leveltag2, int part, int argc, char *argv[], int argvattr[]) { - int arg = 1; // ignore leading -A + int i; + int arg = 2; // ignore leading -A char invert_next = 0; char *spacer = ""; // space when needed to assemble arguments char *level1 = NULL; @@ -399,11 +400,17 @@ do_rule_part(char *leveltag1, char *leveltag2, int part, int argc, arg++; } - /* Before we start, if the first arg is -[^-] and not -m or -j or -g - then start a dummy tag for old style built-in matches. - We would do this in any case, but no need if it would be empty */ - if (arg < argc && argv[arg][0] == '-' && !isTarget(argv[arg]) - && strcmp(argv[arg], "-m") != 0) { + /* Before we start, if the first arg is -[^-] and not -m or -j or -g + * then start a dummy tag for old style built-in matches. + * We would do this in any case, but no need if it would be empty. + * In the case of negation, we need to look at arg+1 + */ + if (arg < argc && strcmp(argv[arg], "!") == 0) + i = arg + 1; + else + i = arg; + if (i < argc && argv[i][0] == '-' && !isTarget(argv[i]) + && strcmp(argv[i], "-m") != 0) { OPEN_LEVEL(1, "match"); printf(">\n"); } -- cgit v1.2.3