Message ID | 1349000540-17508-7-git-send-email-jengelh@inai.de |
---|---|
State | Superseded |
Headers | show |
On Sun, Sep 30, 2012 at 12:22:09PM +0200, Jan Engelhardt wrote: > Specifying -S on the command line would add 4096 (0x1000, 1<<12) to the > cmd flags, but -S was in fact commands_v_options[13]. This led to a > bogus option checking and an error message: > > $ iptables -A foo -S > iptables v1.4.14: Cannot use -E with -A Are you fixing old bugs? This works here: # iptables -A foo -S iptables v1.4.15: Cannot use -S with -A Try `iptables -h' or 'iptables --help' for more information. See: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=commit;h=067a9baf6dc82babe466078ab3c05354c7741271 > References: http://bugs.debian.org/642173 > Signed-off-by: Jan Engelhardt <jengelh@inai.de> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sunday 2012-09-30 23:09, Pablo Neira Ayuso wrote: >On Sun, Sep 30, 2012 at 12:22:09PM +0200, Jan Engelhardt wrote: >> Specifying -S on the command line would add 4096 (0x1000, 1<<12) to the >> cmd flags, but -S was in fact commands_v_options[13]. This led to a >> bogus option checking and an error message: >> >> $ iptables -A foo -S >> iptables v1.4.14: Cannot use -E with -A > >Are you fixing old bugs? >This works here: ># iptables -A foo -S >iptables v1.4.15: Cannot use -S with -A Hm. >http://git.netfilter.org/[...]h=067a9baf6dc82babe466078ab3c05354c7741271 You only changed the "cmdflags" variable so that it lines up with the CMD_ flags, however, you forgot to line up "commands_v_options" as well. Indeed your patch 067a9baf fixes "cannot use $that with $that". My commit message was wrong, as I was misled by v1.4.14 behavior. In fact, I had the real issue written down first. Approximate excerpt from the reflog: iptables: fix order of command flags for option parser Specifying -S on the command line would add 4096 (0x1000, 1<<12) to the cmd flags, but -S was in fact commands_v_options[13]. This problem never manifested itself before, because the [8]-[13] mostly had the same 'x' pattern. Now, when trying to allow --line-numbers for -S, the issue showed itself as --line-numbers was still rejected even after swapping 'x' for ' '. References: http://bugs.debian.org/642173 Does that make more sense? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sun, Sep 30, 2012 at 11:25:42PM +0200, Jan Engelhardt wrote: > > On Sunday 2012-09-30 23:09, Pablo Neira Ayuso wrote: > >On Sun, Sep 30, 2012 at 12:22:09PM +0200, Jan Engelhardt wrote: > >> Specifying -S on the command line would add 4096 (0x1000, 1<<12) to the > >> cmd flags, but -S was in fact commands_v_options[13]. This led to a > >> bogus option checking and an error message: > >> > >> $ iptables -A foo -S > >> iptables v1.4.14: Cannot use -E with -A > > > >Are you fixing old bugs? > >This works here: > ># iptables -A foo -S > >iptables v1.4.15: Cannot use -S with -A > > Hm. > > >http://git.netfilter.org/[...]h=067a9baf6dc82babe466078ab3c05354c7741271 > > You only changed the "cmdflags" variable so that it lines up with > the CMD_ flags, however, you forgot to line up "commands_v_options" > as well. > > Indeed your patch 067a9baf fixes "cannot use $that with $that". > My commit message was wrong, as I was misled by v1.4.14 behavior. > In fact, I had the real issue written down first. Approximate > excerpt from the reflog: > > > iptables: fix order of command flags for option parser > > Specifying -S on the command line would add 4096 (0x1000, 1<<12) to the > cmd flags, but -S was in fact commands_v_options[13]. > > This problem never manifested itself before, because the [8]-[13] mostly > had the same 'x' pattern. Now, when trying to allow --line-numbers for > -S, the issue showed itself as --line-numbers was still rejected even > after swapping 'x' for ' '. > > References: http://bugs.debian.org/642173 > > > Does that make more sense? Yes, that log description looks correct to me. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c index f93bfb3..b2c8776 100644 --- a/iptables/ip6tables.c +++ b/iptables/ip6tables.c @@ -76,12 +76,12 @@ #define CMD_LIST 0x0020U #define CMD_FLUSH 0x0040U #define CMD_ZERO 0x0080U -#define CMD_NEW_CHAIN 0x0100U -#define CMD_DELETE_CHAIN 0x0200U -#define CMD_SET_POLICY 0x0400U -#define CMD_RENAME_CHAIN 0x0800U -#define CMD_LIST_RULES 0x1000U -#define CMD_ZERO_NUM 0x2000U +#define CMD_ZERO_NUM 0x0100U +#define CMD_NEW_CHAIN 0x0200U +#define CMD_DELETE_CHAIN 0x0400U +#define CMD_SET_POLICY 0x0800U +#define CMD_RENAME_CHAIN 0x1000U +#define CMD_LIST_RULES 0x2000U #define CMD_CHECK 0x4000U #define NUMBER_OF_CMD 16 static const char cmdflags[] = { 'I', 'D', 'D', 'R', 'A', 'L', 'F', 'Z', diff --git a/iptables/iptables.c b/iptables/iptables.c index 5786bfd..8884c6a 100644 --- a/iptables/iptables.c +++ b/iptables/iptables.c @@ -72,12 +72,12 @@ #define CMD_LIST 0x0020U #define CMD_FLUSH 0x0040U #define CMD_ZERO 0x0080U -#define CMD_NEW_CHAIN 0x0100U -#define CMD_DELETE_CHAIN 0x0200U -#define CMD_SET_POLICY 0x0400U -#define CMD_RENAME_CHAIN 0x0800U -#define CMD_LIST_RULES 0x1000U -#define CMD_ZERO_NUM 0x2000U +#define CMD_ZERO_NUM 0x0100U +#define CMD_NEW_CHAIN 0x0200U +#define CMD_DELETE_CHAIN 0x0400U +#define CMD_SET_POLICY 0x0800U +#define CMD_RENAME_CHAIN 0x1000U +#define CMD_LIST_RULES 0x2000U #define CMD_CHECK 0x4000U #define NUMBER_OF_CMD 16 static const char cmdflags[] = { 'I', 'D', 'D', 'R', 'A', 'L', 'F', 'Z',
Specifying -S on the command line would add 4096 (0x1000, 1<<12) to the cmd flags, but -S was in fact commands_v_options[13]. This led to a bogus option checking and an error message: $ iptables -A foo -S iptables v1.4.14: Cannot use -E with -A References: http://bugs.debian.org/642173 Signed-off-by: Jan Engelhardt <jengelh@inai.de> --- iptables/ip6tables.c | 12 ++++++------ iptables/iptables.c | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-)