diff options
-rw-r--r-- | extensions/libxt_LED.c | 7 | ||||
-rw-r--r-- | extensions/libxt_SET.man | 12 | ||||
-rw-r--r-- | extensions/libxt_devgroup.c | 72 | ||||
-rw-r--r-- | extensions/libxt_hashlimit.c | 17 | ||||
-rw-r--r-- | extensions/libxt_limit.c | 17 | ||||
-rw-r--r-- | extensions/libxt_u32.c | 12 | ||||
-rw-r--r-- | iptables/ip6tables-restore.c | 132 | ||||
-rw-r--r-- | iptables/iptables-restore.c | 132 |
8 files changed, 201 insertions, 200 deletions
diff --git a/extensions/libxt_LED.c b/extensions/libxt_LED.c index 9d68fa27..e6cf8497 100644 --- a/extensions/libxt_LED.c +++ b/extensions/libxt_LED.c @@ -49,6 +49,7 @@ static void LED_help(void) static void LED_parse(struct xt_option_call *cb) { struct xt_led_info *led = cb->data; + unsigned int delay; xtables_option_parse(cb); switch (cb->entry->id) { @@ -59,8 +60,10 @@ static void LED_parse(struct xt_option_call *cb) case O_LED_DELAY: if (strncasecmp(cb->arg, "inf", 3) == 0) led->delay = -1; - else - led->delay = strtoul(cb->arg, NULL, 0); + else if (!xtables_strtoui(cb->arg, NULL, &delay, 0, UINT32_MAX)) + xtables_error(PARAMETER_PROBLEM, + "Delay value must be within range 0..%u", + UINT32_MAX); break; case O_LED_ALWAYS_BLINK: led->always_blink = 1; diff --git a/extensions/libxt_SET.man b/extensions/libxt_SET.man index 63eb3831..c35ba93d 100644 --- a/extensions/libxt_SET.man +++ b/extensions/libxt_SET.man @@ -1,24 +1,24 @@ -This modules adds and/or deletes entries from IP sets which can be defined +This module adds and/or deletes entries from IP sets which can be defined by ipset(8). .TP \fB\-\-add\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...] -add the address(es)/port(s) of the packet to the sets +add the address(es)/port(s) of the packet to the set .TP \fB\-\-del\-set\fP \fIsetname\fP \fIflag\fP[\fB,\fP\fIflag\fP...] -delete the address(es)/port(s) of the packet from the sets +delete the address(es)/port(s) of the packet from the set .IP -where flags are +where \fIflag\fP(s) are .BR "src" and/or .BR "dst" specifications and there can be no more than six of them. .TP \fB\-\-timeout\fP \fIvalue\fP -when adding entry, the timeout value to use instead of the default +when adding an entry, the timeout value to use instead of the default one from the set definition .TP \fB\-\-exist\fP -when adding entry if it already exists, reset the timeout value +when adding an entry if it already exists, reset the timeout value to the specified one or to the default from the set definition .PP Use of -j SET requires that ipset kernel support is provided, which, for diff --git a/extensions/libxt_devgroup.c b/extensions/libxt_devgroup.c index 4487c833..4a69c822 100644 --- a/extensions/libxt_devgroup.c +++ b/extensions/libxt_devgroup.c @@ -42,58 +42,50 @@ static void devgroup_init(struct xt_entry_match *match) fprintf(stderr, "Warning: %s: %s\n", file, strerror(errno)); } +static void devgroup_parse_groupspec(const char *arg, unsigned int *group, + unsigned int *mask) +{ + char *end; + bool ok; + + ok = xtables_strtoui(arg, &end, group, 0, UINT32_MAX); + if (ok && (*end == '/' || *end == '\0')) { + if (*end == '/') + ok = xtables_strtoui(end + 1, NULL, mask, + 0, UINT32_MAX); + else + *mask = ~0U; + if (!ok) + xtables_error(PARAMETER_PROBLEM, + "Bad group value \"%s\"", arg); + } else { + *group = xtables_lmap_name2id(devgroups, arg); + if (*group == -1) + xtables_error(PARAMETER_PROBLEM, + "Device group \"%s\" not found", arg); + *mask = ~0U; + } +} + static void devgroup_parse(struct xt_option_call *cb) { struct xt_devgroup_info *info = cb->data; - unsigned int id; - char *end; + unsigned int id, mask; xtables_option_parse(cb); switch (cb->entry->id) { case O_SRC_GROUP: - info->src_group = strtoul(cb->arg, &end, 0); - if (end != cb->arg && (*end == '/' || *end == '\0')) { - if (*end == '/') - info->src_mask = strtoul(end+1, &end, 0); - else - info->src_mask = 0xffffffff; - if (*end != '\0' || end == cb->arg) - xtables_error(PARAMETER_PROBLEM, - "Bad src-group value `%s'", - cb->arg); - } else { - id = xtables_lmap_name2id(devgroups, cb->arg); - if (id == -1) - xtables_error(PARAMETER_PROBLEM, - "Device group `%s' not found", - cb->arg); - info->src_group = id; - info->src_mask = 0xffffffff; - } + devgroup_parse_groupspec(cb->arg, &id, &mask); + info->src_group = id; + info->src_mask = mask; info->flags |= XT_DEVGROUP_MATCH_SRC; if (cb->invert) info->flags |= XT_DEVGROUP_INVERT_SRC; break; case O_DST_GROUP: - info->dst_group = strtoul(cb->arg, &end, 0); - if (end != cb->arg && (*end == '/' || *end == '\0')) { - if (*end == '/') - info->dst_mask = strtoul(end+1, &end, 0); - else - info->dst_mask = 0xffffffff; - if (*end != '\0' || end == cb->arg) - xtables_error(PARAMETER_PROBLEM, - "Bad dst-group value `%s'", - cb->arg); - } else { - id = xtables_lmap_name2id(devgroups, cb->arg); - if (id == -1) - xtables_error(PARAMETER_PROBLEM, - "Device group `%s' not found", - cb->arg); - info->dst_group = id; - info->dst_mask = 0xffffffff; - } + devgroup_parse_groupspec(cb->arg, &id, &mask); + info->dst_group = id; + info->dst_mask = mask; info->flags |= XT_DEVGROUP_MATCH_DST; if (cb->invert) info->flags |= XT_DEVGROUP_INVERT_DST; diff --git a/extensions/libxt_hashlimit.c b/extensions/libxt_hashlimit.c index 37a31489..831345b7 100644 --- a/extensions/libxt_hashlimit.c +++ b/extensions/libxt_hashlimit.c @@ -10,6 +10,7 @@ * * Error corections by nmalykh@bilim.com (22.01.2005) */ +#include <math.h> #include <stdbool.h> #include <stdint.h> #include <stdio.h> @@ -250,12 +251,13 @@ int parse_rate(const char *rate, uint32_t *val, struct hashlimit_mt_udata *ud) if (!r) return 0; - /* This would get mapped to infinite (1/day is minimum they - can specify, so we're ok at that end). */ - if (r / ud->mult > XT_HASHLIMIT_SCALE) - xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate); - *val = XT_HASHLIMIT_SCALE * ud->mult / r; + if (*val == 0) + /* + * The rate maps to infinity. (1/day is the minimum they can + * specify, so we are ok at that end). + */ + xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate); return 1; } @@ -434,6 +436,11 @@ static uint32_t print_rate(uint32_t period) { unsigned int i; + if (period == 0) { + printf(" %f", INFINITY); + return 0; + } + for (i = 1; i < ARRAY_SIZE(rates); ++i) if (period > rates[i].mult || rates[i].mult/period < rates[i].mult%period) diff --git a/extensions/libxt_limit.c b/extensions/libxt_limit.c index b15b02f2..023500cf 100644 --- a/extensions/libxt_limit.c +++ b/extensions/libxt_limit.c @@ -3,6 +3,7 @@ * Jérôme de Vivie <devivie@info.enserb.u-bordeaux.fr> * Hervé Eychenne <rv@wallfire.org> */ +#include <math.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -64,12 +65,13 @@ int parse_rate(const char *rate, uint32_t *val) if (!r) return 0; - /* This would get mapped to infinite (1/day is minimum they - can specify, so we're ok at that end). */ - if (r / mult > XT_LIMIT_SCALE) - xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate); - *val = XT_LIMIT_SCALE * mult / r; + if (*val == 0) + /* + * The rate maps to infinity. (1/day is the minimum they can + * specify, so we are ok at that end). + */ + xtables_error(PARAMETER_PROBLEM, "Rate too fast \"%s\"\n", rate); return 1; } @@ -118,6 +120,11 @@ static void print_rate(uint32_t period) { unsigned int i; + if (period == 0) { + printf(" %f", INFINITY); + return; + } + for (i = 1; i < ARRAY_SIZE(rates); ++i) if (period > rates[i].mult || rates[i].mult/period < rates[i].mult%period) diff --git a/extensions/libxt_u32.c b/extensions/libxt_u32.c index 6d024fb6..2a7f5d80 100644 --- a/extensions/libxt_u32.c +++ b/extensions/libxt_u32.c @@ -88,17 +88,13 @@ static void u32_dump(const struct xt_u32 *data) /* string_to_number() is not quite what we need here ... */ static uint32_t parse_number(const char **s, int pos) { - uint32_t number; + unsigned int number; char *end; - errno = 0; - number = strtoul(*s, &end, 0); - if (end == *s) + if (!xtables_strtoui(*s, &end, &number, 0, UINT32_MAX) || + end == *s) xtables_error(PARAMETER_PROBLEM, - "u32: at char %d: expected number", pos); - if (errno != 0) - xtables_error(PARAMETER_PROBLEM, - "u32: at char %d: error reading number", pos); + "u32: at char %d: not a number or out of range", pos); *s = end; return number; } diff --git a/iptables/ip6tables-restore.c b/iptables/ip6tables-restore.c index 1ec3dd95..0e8252f4 100644 --- a/iptables/ip6tables-restore.c +++ b/iptables/ip6tables-restore.c @@ -114,6 +114,70 @@ static void free_argv(void) { free(newargv[i]); } +static void add_param_to_argv(char *parsestart) +{ + int quote_open = 0, escaped = 0, param_len = 0; + char param_buffer[1024], *curchar; + + /* After fighting with strtok enough, here's now + * a 'real' parser. According to Rusty I'm now no + * longer a real hacker, but I can live with that */ + + for (curchar = parsestart; *curchar; curchar++) { + if (quote_open) { + if (escaped) { + param_buffer[param_len++] = *curchar; + escaped = 0; + continue; + } else if (*curchar == '\\') { + escaped = 1; + continue; + } else if (*curchar == '"') { + quote_open = 0; + *curchar = ' '; + } else { + param_buffer[param_len++] = *curchar; + continue; + } + } else { + if (*curchar == '"') { + quote_open = 1; + continue; + } + } + + if (*curchar == ' ' + || *curchar == '\t' + || * curchar == '\n') { + if (!param_len) { + /* two spaces? */ + continue; + } + + param_buffer[param_len] = '\0'; + + /* check if table name specified */ + if (!strncmp(param_buffer, "-t", 2) + || !strncmp(param_buffer, "--table", 8)) { + xtables_error(PARAMETER_PROBLEM, + "The -t option (seen in line %u) cannot be " + "used in ip6tables-restore.\n", line); + exit(1); + } + + add_argv(param_buffer); + param_len = 0; + } else { + /* regular character, copy to buffer */ + param_buffer[param_len++] = *curchar; + + if (param_len >= sizeof(param_buffer)) + xtables_error(PARAMETER_PROBLEM, + "Parameter too long!"); + } + } +} + int ip6tables_restore_main(int argc, char *argv[]) { struct xtc_handle *handle = NULL; @@ -325,12 +389,6 @@ int ip6tables_restore_main(int argc, char *argv[]) char *bcnt = NULL; char *parsestart; - /* the parser */ - char *curchar; - int quote_open, escaped; - size_t param_len; - char param_buffer[1024]; - /* reset the newargv */ newargc = 0; @@ -371,67 +429,7 @@ int ip6tables_restore_main(int argc, char *argv[]) add_argv((char *) bcnt); } - /* After fighting with strtok enough, here's now - * a 'real' parser. According to Rusty I'm now no - * longer a real hacker, but I can live with that */ - - quote_open = 0; - escaped = 0; - param_len = 0; - - for (curchar = parsestart; *curchar; curchar++) { - if (quote_open) { - if (escaped) { - param_buffer[param_len++] = *curchar; - escaped = 0; - continue; - } else if (*curchar == '\\') { - escaped = 1; - continue; - } else if (*curchar == '"') { - quote_open = 0; - *curchar = ' '; - } else { - param_buffer[param_len++] = *curchar; - continue; - } - } else { - if (*curchar == '"') { - quote_open = 1; - continue; - } - } - - if (*curchar == ' ' - || *curchar == '\t' - || * curchar == '\n') { - if (!param_len) { - /* two spaces? */ - continue; - } - - param_buffer[param_len] = '\0'; - - /* check if table name specified */ - if (!strncmp(param_buffer, "-t", 2) - || !strncmp(param_buffer, "--table", 8)) { - xtables_error(PARAMETER_PROBLEM, - "Line %u seems to have a " - "-t table option.\n", line); - exit(1); - } - - add_argv(param_buffer); - param_len = 0; - } else { - /* regular character, copy to buffer */ - param_buffer[param_len++] = *curchar; - - if (param_len >= sizeof(param_buffer)) - xtables_error(PARAMETER_PROBLEM, - "Parameter too long!"); - } - } + add_param_to_argv(parsestart); DEBUGP("calling do_command6(%u, argv, &%s, handle):\n", newargc, curtable); diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c index 9f51f993..08225139 100644 --- a/iptables/iptables-restore.c +++ b/iptables/iptables-restore.c @@ -113,6 +113,70 @@ static void free_argv(void) { free(newargv[i]); } +static void add_param_to_argv(char *parsestart) +{ + int quote_open = 0, escaped = 0, param_len = 0; + char param_buffer[1024], *curchar; + + /* After fighting with strtok enough, here's now + * a 'real' parser. According to Rusty I'm now no + * longer a real hacker, but I can live with that */ + + for (curchar = parsestart; *curchar; curchar++) { + if (quote_open) { + if (escaped) { + param_buffer[param_len++] = *curchar; + escaped = 0; + continue; + } else if (*curchar == '\\') { + escaped = 1; + continue; + } else if (*curchar == '"') { + quote_open = 0; + *curchar = ' '; + } else { + param_buffer[param_len++] = *curchar; + continue; + } + } else { + if (*curchar == '"') { + quote_open = 1; + continue; + } + } + + if (*curchar == ' ' + || *curchar == '\t' + || * curchar == '\n') { + if (!param_len) { + /* two spaces? */ + continue; + } + + param_buffer[param_len] = '\0'; + + /* check if table name specified */ + if (!strncmp(param_buffer, "-t", 2) + || !strncmp(param_buffer, "--table", 8)) { + xtables_error(PARAMETER_PROBLEM, + "The -t option (seen in line %u) cannot be " + "used in iptables-restore.\n", line); + exit(1); + } + + add_argv(param_buffer); + param_len = 0; + } else { + /* regular character, copy to buffer */ + param_buffer[param_len++] = *curchar; + + if (param_len >= sizeof(param_buffer)) + xtables_error(PARAMETER_PROBLEM, + "Parameter too long!"); + } + } +} + int iptables_restore_main(int argc, char *argv[]) { @@ -325,12 +389,6 @@ iptables_restore_main(int argc, char *argv[]) char *bcnt = NULL; char *parsestart; - /* the parser */ - char *curchar; - int quote_open, escaped; - size_t param_len; - char param_buffer[1024]; - /* reset the newargv */ newargc = 0; @@ -371,67 +429,7 @@ iptables_restore_main(int argc, char *argv[]) add_argv((char *) bcnt); } - /* After fighting with strtok enough, here's now - * a 'real' parser. According to Rusty I'm now no - * longer a real hacker, but I can live with that */ - - quote_open = 0; - escaped = 0; - param_len = 0; - - for (curchar = parsestart; *curchar; curchar++) { - if (quote_open) { - if (escaped) { - param_buffer[param_len++] = *curchar; - escaped = 0; - continue; - } else if (*curchar == '\\') { - escaped = 1; - continue; - } else if (*curchar == '"') { - quote_open = 0; - *curchar = ' '; - } else { - param_buffer[param_len++] = *curchar; - continue; - } - } else { - if (*curchar == '"') { - quote_open = 1; - continue; - } - } - - if (*curchar == ' ' - || *curchar == '\t' - || * curchar == '\n') { - if (!param_len) { - /* two spaces? */ - continue; - } - - param_buffer[param_len] = '\0'; - - /* check if table name specified */ - if (!strncmp(param_buffer, "-t", 2) - || !strncmp(param_buffer, "--table", 8)) { - xtables_error(PARAMETER_PROBLEM, - "Line %u seems to have a " - "-t table option.\n", line); - exit(1); - } - - add_argv(param_buffer); - param_len = 0; - } else { - /* regular character, copy to buffer */ - param_buffer[param_len++] = *curchar; - - if (param_len >= sizeof(param_buffer)) - xtables_error(PARAMETER_PROBLEM, - "Parameter too long!"); - } - } + add_param_to_argv(parsestart); DEBUGP("calling do_command4(%u, argv, &%s, handle):\n", newargc, curtable); |