*tables-restore: Enforce correct counters syntax if present

If '--counters' option was not given, restore parsers would ignore
anything following the policy word. Make them more strict, rejecting
anything in that spot which does not look like counter values even if
not restoring counters.

Signed-off-by: Phil Sutter <phil@nwl.cc>

1 files changed, 9 insertions, 11 deletions

diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index 6f7ddf93..f11b2dc2 100644
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -283,23 +283,21 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb,
 					      xt_params->program_name, line);
 
 			if (strcmp(policy, "-") != 0) {
+				char *ctrs = strtok(NULL, " \t\n");
 				struct xt_counters count = {};
 
-				if (counters) {
-					char *ctrs;
-					ctrs = strtok(NULL, " \t\n");
-
-					if (!ctrs || !parse_counters(ctrs, &count))
-						xtables_error(PARAMETER_PROBLEM,
-							      "invalid policy counters for chain '%s'",
-							      chain);
-				}
+				if ((!ctrs && counters) ||
+				    (ctrs && !parse_counters(ctrs, &count)))
+					xtables_error(PARAMETER_PROBLEM,
+						      "invalid policy counters for chain '%s'",
+						      chain);
 
 				DEBUGP("Setting policy of chain %s to %s\n",
 					chain, policy);
 
-				if (!cb->ops->set_policy(chain, policy, &count,
-						     handle))
+				if (!cb->ops->set_policy(chain, policy,
+							 counters ? &count : NULL,
+							 handle))
 					xtables_error(OTHER_PROBLEM,
 						      "Can't set policy `%s' on `%s' line %u: %s",
 						      policy, chain, line,