Make '-p all' a special case that is handled before calling getprotoent() (Closes: #446)

2 files changed, 14 insertions, 2 deletions

diff --git a/ip6tables.c b/ip6tables.c
index e2c514e2..9396d034 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -224,7 +224,6 @@ static const struct pprot chain_protos[] = {
 	{ "icmpv6", IPPROTO_ICMPV6 },
 	{ "esp", IPPROTO_ESP },
 	{ "ah", IPPROTO_AH },
-	{ "all", 0 },
 };
 
 static char *
@@ -808,6 +807,13 @@ parse_protocol(const char *s)
 	if (string_to_number(s, 0, 255, &proto) == -1) {
 		struct protoent *pent;
 
+		/* first deal with the special case of 'all' to prevent
+		 * people from being able to redefine 'all' in nsswitch
+		 * and/or provoke expensive [not working] ldap/nis/... 
+		 * lookups */
+		if (!strcmp(s, "all"))
+			return 0;
+
 		if ((pent = getprotobyname(s)))
 			proto = pent->p_proto;
 		else {
diff --git a/iptables.c b/iptables.c
index b66e5e1b..c8ab71ec 100644
--- a/iptables.c
+++ b/iptables.c
@@ -229,7 +229,6 @@ static const struct pprot chain_protos[] = {
 	{ "esp", IPPROTO_ESP },
 	{ "ah", IPPROTO_AH },
 	{ "sctp", IPPROTO_SCTP },
-	{ "all", 0 },
 };
 
 static char *
@@ -756,6 +755,13 @@ parse_protocol(const char *s)
 	if (string_to_number(s, 0, 255, &proto) == -1) {
 		struct protoent *pent;
 
+		/* first deal with the special case of 'all' to prevent
+		 * people from being able to redefine 'all' in nsswitch
+		 * and/or provoke expensive [not working] ldap/nis/... 
+		 * lookups */
+		if (!strcmp(s, "all"))
+			return 0;
+
 		if ((pent = getprotobyname(s)))
 			proto = pent->p_proto;
 		else {