Patchwork [06/17] iptables: fix order of internal commands list

login
register
mail settings
Submitter Jan Engelhardt
Date Sept. 30, 2012, 10:22 a.m.
Message ID <1349000540-17508-7-git-send-email-jengelh@inai.de>
Download mbox | patch
Permalink /patch/188153/
State Superseded
Headers show

Comments

Jan Engelhardt - Sept. 30, 2012, 10:22 a.m.
Specifying -S on the command line would add 4096 (0x1000, 1<<12) to the
cmd flags, but -S was in fact commands_v_options[13]. This led to a
bogus option checking and an error message:

$ iptables -A foo -S
iptables v1.4.14: Cannot use -E with -A

References: http://bugs.debian.org/642173
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 iptables/ip6tables.c |   12 ++++++------
 iptables/iptables.c  |   12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)
Pablo Neira - Sept. 30, 2012, 9:09 p.m.
On Sun, Sep 30, 2012 at 12:22:09PM +0200, Jan Engelhardt wrote:
> Specifying -S on the command line would add 4096 (0x1000, 1<<12) to the
> cmd flags, but -S was in fact commands_v_options[13]. This led to a
> bogus option checking and an error message:
> 
> $ iptables -A foo -S
> iptables v1.4.14: Cannot use -E with -A

Are you fixing old bugs?

This works here:

# iptables -A foo -S
iptables v1.4.15: Cannot use -S with -A

Try `iptables -h' or 'iptables --help' for more information.

See:

http://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=commit;h=067a9baf6dc82babe466078ab3c05354c7741271

> References: http://bugs.debian.org/642173
> Signed-off-by: Jan Engelhardt <jengelh@inai.de>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Jan Engelhardt - Sept. 30, 2012, 9:25 p.m.
On Sunday 2012-09-30 23:09, Pablo Neira Ayuso wrote:
>On Sun, Sep 30, 2012 at 12:22:09PM +0200, Jan Engelhardt wrote:
>> Specifying -S on the command line would add 4096 (0x1000, 1<<12) to the
>> cmd flags, but -S was in fact commands_v_options[13]. This led to a
>> bogus option checking and an error message:
>> 
>> $ iptables -A foo -S
>> iptables v1.4.14: Cannot use -E with -A
>
>Are you fixing old bugs?
>This works here:
># iptables -A foo -S
>iptables v1.4.15: Cannot use -S with -A

Hm.

>http://git.netfilter.org/[...]h=067a9baf6dc82babe466078ab3c05354c7741271

You only changed the "cmdflags" variable so that it lines up with
the CMD_ flags, however, you forgot to line up "commands_v_options"
as well.

Indeed your patch 067a9baf fixes "cannot use $that with $that".
My commit message was wrong, as I was misled by v1.4.14 behavior.
In fact, I had the real issue written down first. Approximate
excerpt from the reflog:


    iptables: fix order of command flags for option parser
    
    Specifying -S on the command line would add 4096 (0x1000, 1<<12) to the
    cmd flags, but -S was in fact commands_v_options[13].
    
    This problem never manifested itself before, because the [8]-[13] mostly
    had the same 'x' pattern. Now, when trying to allow --line-numbers for
    -S, the issue showed itself as --line-numbers was still rejected even
    after swapping 'x' for ' '.
    
    References: http://bugs.debian.org/642173


Does that make more sense?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira - Sept. 30, 2012, 10:13 p.m.
On Sun, Sep 30, 2012 at 11:25:42PM +0200, Jan Engelhardt wrote:
> 
> On Sunday 2012-09-30 23:09, Pablo Neira Ayuso wrote:
> >On Sun, Sep 30, 2012 at 12:22:09PM +0200, Jan Engelhardt wrote:
> >> Specifying -S on the command line would add 4096 (0x1000, 1<<12) to the
> >> cmd flags, but -S was in fact commands_v_options[13]. This led to a
> >> bogus option checking and an error message:
> >> 
> >> $ iptables -A foo -S
> >> iptables v1.4.14: Cannot use -E with -A
> >
> >Are you fixing old bugs?
> >This works here:
> ># iptables -A foo -S
> >iptables v1.4.15: Cannot use -S with -A
> 
> Hm.
> 
> >http://git.netfilter.org/[...]h=067a9baf6dc82babe466078ab3c05354c7741271
> 
> You only changed the "cmdflags" variable so that it lines up with
> the CMD_ flags, however, you forgot to line up "commands_v_options"
> as well.
> 
> Indeed your patch 067a9baf fixes "cannot use $that with $that".
> My commit message was wrong, as I was misled by v1.4.14 behavior.
> In fact, I had the real issue written down first. Approximate
> excerpt from the reflog:
> 
> 
>     iptables: fix order of command flags for option parser
>     
>     Specifying -S on the command line would add 4096 (0x1000, 1<<12) to the
>     cmd flags, but -S was in fact commands_v_options[13].
>     
>     This problem never manifested itself before, because the [8]-[13] mostly
>     had the same 'x' pattern. Now, when trying to allow --line-numbers for
>     -S, the issue showed itself as --line-numbers was still rejected even
>     after swapping 'x' for ' '.
>     
>     References: http://bugs.debian.org/642173
> 
> 
> Does that make more sense?

Yes, that log description looks correct to me. Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index f93bfb3..b2c8776 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -76,12 +76,12 @@ 
 #define CMD_LIST		0x0020U
 #define CMD_FLUSH		0x0040U
 #define CMD_ZERO		0x0080U
-#define CMD_NEW_CHAIN		0x0100U
-#define CMD_DELETE_CHAIN	0x0200U
-#define CMD_SET_POLICY		0x0400U
-#define CMD_RENAME_CHAIN	0x0800U
-#define CMD_LIST_RULES		0x1000U
-#define CMD_ZERO_NUM		0x2000U
+#define CMD_ZERO_NUM		0x0100U
+#define CMD_NEW_CHAIN		0x0200U
+#define CMD_DELETE_CHAIN	0x0400U
+#define CMD_SET_POLICY		0x0800U
+#define CMD_RENAME_CHAIN	0x1000U
+#define CMD_LIST_RULES		0x2000U
 #define CMD_CHECK		0x4000U
 #define NUMBER_OF_CMD	16
 static const char cmdflags[] = { 'I', 'D', 'D', 'R', 'A', 'L', 'F', 'Z',
diff --git a/iptables/iptables.c b/iptables/iptables.c
index 5786bfd..8884c6a 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -72,12 +72,12 @@ 
 #define CMD_LIST		0x0020U
 #define CMD_FLUSH		0x0040U
 #define CMD_ZERO		0x0080U
-#define CMD_NEW_CHAIN		0x0100U
-#define CMD_DELETE_CHAIN	0x0200U
-#define CMD_SET_POLICY		0x0400U
-#define CMD_RENAME_CHAIN	0x0800U
-#define CMD_LIST_RULES		0x1000U
-#define CMD_ZERO_NUM		0x2000U
+#define CMD_ZERO_NUM		0x0100U
+#define CMD_NEW_CHAIN		0x0200U
+#define CMD_DELETE_CHAIN	0x0400U
+#define CMD_SET_POLICY		0x0800U
+#define CMD_RENAME_CHAIN	0x1000U
+#define CMD_LIST_RULES		0x2000U
 #define CMD_CHECK		0x4000U
 #define NUMBER_OF_CMD	16
 static const char cmdflags[] = { 'I', 'D', 'D', 'R', 'A', 'L', 'F', 'Z',