summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPhil Oester <kernel@linuxace.com>2013-06-20 08:53:36 -0400
committerPablo Neira Ayuso <pablo@netfilter.org>2013-07-26 16:36:20 +0200
commit68cecd598f55f58a1ae2132cdfb0b5e0a52cae1f (patch)
tree631e2578c867e398b0d939b26727c4056277205d
parentc18f2ce7f61c7e7ae3bd207ef6337a1be0c7aff3 (diff)
iptables: iptables-xml: Fix various parsing bugs
There are two bugs in iptables-xml do_rule_part parsing corrected by this patch: 1) Ignore "-A <chain>" instead of just "-A" 2) When checking to see if we need a <match> tag, inversion needs to be taken into account This closes netfilter bugzilla #679. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--iptables/iptables-xml.c19
1 files changed, 13 insertions, 6 deletions
diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
index 4b12bd46..e272ef91 100644
--- a/iptables/iptables-xml.c
+++ b/iptables/iptables-xml.c
@@ -367,7 +367,8 @@ static void
do_rule_part(char *leveltag1, char *leveltag2, int part, int argc,
char *argv[], int argvattr[])
{
- int arg = 1; // ignore leading -A
+ int i;
+ int arg = 2; // ignore leading -A <chain>
char invert_next = 0;
char *spacer = ""; // space when needed to assemble arguments
char *level1 = NULL;
@@ -399,11 +400,17 @@ do_rule_part(char *leveltag1, char *leveltag2, int part, int argc,
arg++;
}
- /* Before we start, if the first arg is -[^-] and not -m or -j or -g
- then start a dummy <match> tag for old style built-in matches.
- We would do this in any case, but no need if it would be empty */
- if (arg < argc && argv[arg][0] == '-' && !isTarget(argv[arg])
- && strcmp(argv[arg], "-m") != 0) {
+ /* Before we start, if the first arg is -[^-] and not -m or -j or -g
+ * then start a dummy <match> tag for old style built-in matches.
+ * We would do this in any case, but no need if it would be empty.
+ * In the case of negation, we need to look at arg+1
+ */
+ if (arg < argc && strcmp(argv[arg], "!") == 0)
+ i = arg + 1;
+ else
+ i = arg;
+ if (i < argc && argv[i][0] == '-' && !isTarget(argv[i])
+ && strcmp(argv[i], "-m") != 0) {
OPEN_LEVEL(1, "match");
printf(">\n");
}