summaryrefslogtreecommitdiffstats
path: root/iptables/iptables-restore.c
Commit message (Collapse)AuthorAgeFilesLines
* consistently use <errno.h>Felix Janda2015-05-021-1/+1
| | | | | | | | | On glibc, <sys/errno.h> is a synomym for <errno.h>. <errno.h> is specified by POSIX, so use that. Fixes compilation error with musl libc Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables-{save,restore}: warn that -b/--binary isn't implementedJiri Popelka2014-03-171-5/+3
| | | | | | see also 296dca39be Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ip{6}tables-restore: fix breakage due to new locking approachPablo Neira Ayuso2013-07-081-1/+1
| | | | | | | | | | | | | | | | Since (93587a0 ip[6]tables: Add locking to prevent concurrent instances), ip{6}tables-restore does not work anymore: iptables-restore < x Another app is currently holding the xtables lock. Perhaps you want to use the -w option? do_command{6}(...) is called from ip{6}tables-restore for every iptables command contained in the rule-set file. Thus, hitting the lock error after the second command. Fix it by bypassing the locking in the ip{6}tables-restore path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ip[6]tables-restore: cleanup to reduce one level of indentationPablo Neira Ayuso2012-08-031-69/+65
| | | | | | | This patch moves the parameter parsing to one function to reduce one level of indentation. Jan Engelhardt likes this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-restore: warn about -t in rule linesJan Engelhardt2012-07-311-2/+4
| | | | | | | save-restore syntax uses *table, not -t table. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-restore: fix parameter parsing (shows up with gcc-4.7)Pablo Neira Ayuso2012-07-301-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes parameter parsing in iptables-restore since time ago. The problem has shown up with gcc-4.7. This version of gcc seem to perform more agressive memory management than previous. Peter Lekensteyn provided the following sample code similar to the one in iptables-restore: int i = 0; for (;;) { char x[5]; x[i] = '0' + i; if (++i == 4) { x[i] = '\0'; /* terminate string with null byte */ printf("%s\n", x); break; } } Many may expect 0123 as output. But GCC 4.7 does not do that when compiling with optimization enabled (-O1 and higher). It instead puts random data in the first bytes of the character array, which becomes: | 0 | 1 | 2 | 3 | 4 | | RANDOM | '3' | '\0' | Since the array is declared inside the scope of loop's body, you can think of it as of a new array being allocated in the automatic storage area for each loop iteration. The correct code should be: char x[5]; for (;;) { x[i] = '0' + i; if (++i == 4) { x[i] = '\0'; /* terminate string with null byte */ printf("%s\n", x); break; } } Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)"Pablo Neira Ayuso2012-07-301-65/+68
| | | | | | | | This reverts commit 44191bdbd71e685fba9eab864b9df25e63905220. Apply instead a patch that really clarifies the bug in iptables-restore. This should be good for the record (specifically, for distributors so they can find the fix by googling).
* iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)Pablo Neira Ayuso2012-07-251-68/+65
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch seems to be a mere cleanup that moves the parameter parsing code to add_param_to_argv. But, in reality, it also fixes iptables when compiled with gcc-4.7. Moving param_buffer declaration out of the loop seems to resolve the issue. gcc-4.7 seems to be generating bad code regarding param_buffer. @@ -380,9 +380,9 @@ quote_open = 0; escaped = 0; param_len = 0; + char param_buffer[1024]; for (curchar = parsestart; *curchar; curchar++) { - char param_buffer[1024]; if (quote_open) { if (escaped) { But I have hard time to apply this patch in such a way. Instead, I came up with the idea of this cleanup, which does not harm after all (and fixes the issue for us). Someone in: https://bugzilla.redhat.com/show_bug.cgi?id=82579 put some light on this: "Yes, I ran into this too. The issue is that the gcc optimizer is optimizing out the code that collects quoted strings in iptables-restore.c at line 396. If inside a quotemark and it hasn't seen another one yet, it executes param_buffer[param_len++] = *curchar; continue; At -O1 or higher, the write to param_buffer[] never happens. It just increments param_len and continues. Moving the definition of char param_buffer[1024]; outside the loop fixes it. Why, I'm not sure. Defining the param_buffer[] inside the loop should simply restrict its scope to inside the loop." Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ip(6)tables-restore: make sure argv is NULL terminatedFlorian Westphal2012-05-141-1/+1
| | | | | | | | | | Else, argv[argc] may point to free'd memory. Some extensions, e.g. rateest, may fail to parse valid input because argv[optind] (with optind == argc) is not NULL. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ip6tables-restore: make code look alike with iptables-restoreJan Engelhardt2011-09-111-14/+15
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: resolve old macro names that are indirectionsJan Engelhardt2011-09-111-7/+6
| | | | | | | | | | | Command used: git grep -f <(pcregrep -hior '(?<=#define\s)IP6?(T_\w+)(?=\s+X\1)' include/) and then fix all occurrences. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libiptc: combine common types: _handleJan Engelhardt2011-09-111-3/+3
| | | | | | | No real API/ABI change incurred, since the definition of the structs' types is not visible anyhow. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: remove unused IPTABLES_MULTI defineJan Engelhardt2011-08-261-5/+0
| | | | | | This dead code has been lingering around since commit v1.4.5~7. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: Coverity: REVERSE_INULLJiri Popelka2011-06-221-2/+1
| | | | | | | | | | | | | | ip6tables-restore.c:186: deref_ptr_in_call: Dereferencing pointer "in". ip6tables-restore.c:463: check_after_deref: Dereferencing "in" before a null check. iptables-restore.c:192: deref_ptr_in_call: Dereferencing pointer "in". iptables-restore.c:468: check_after_deref: Dereferencing "in" before a null check. iptables-xml.c:671: deref_ptr_in_call: Dereferencing pointer "in". iptables-xml.c:873: check_after_deref: Dereferencing "in" before a null check. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: move all iptables pieces into a separate directoryJan Engelhardt2011-06-071-0/+471
(Unclutter top-level dir) Signed-off-by: Jan Engelhardt <jengelh@medozas.de>