From 3dc433b55bbfaf9df3ee408aaa6282742f377864 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Fri, 20 Sep 2019 17:31:58 +0200 Subject: xtables-restore: Fix --table parameter check Xtables-restore tries to reject rule commands in input which contain a --table parameter (since it is adding this itself based on the previous table line). The manual check was not perfect though as it caught any parameter starting with a dash and containing a 't' somewhere, even in rule comments: | *filter | -A FORWARD -m comment --comment "- allow this one" -j ACCEPT | COMMIT Instead of error-prone manual checking, go a much simpler route: All do_command callbacks are passed a boolean indicating they're called from *tables-restore. React upon this when handling a table parameter and error out if it's not the first one. Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore") Signed-off-by: Phil Sutter Acked-by: Florian Westphal --- iptables/xtables.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'iptables/xtables.c') diff --git a/iptables/xtables.c b/iptables/xtables.c index 0e0cb5f5..89f3271e 100644 --- a/iptables/xtables.c +++ b/iptables/xtables.c @@ -879,6 +879,10 @@ void do_parse(struct nft_handle *h, int argc, char *argv[], if (cs->invert) xtables_error(PARAMETER_PROBLEM, "unexpected ! flag before --table"); + if (p->restore && p->table) + xtables_error(PARAMETER_PROBLEM, + "The -t option (seen in line %u) cannot be used in %s.\n", + line, xt_params->program_name); if (!nft_table_builtin_find(h, optarg)) xtables_error(VERSION_PROBLEM, "table '%s' does not exist", -- cgit v1.2.3