Patchwork ip{,6}tables-save misleading return code

login
register
mail settings
Submitter mancha
Date Oct. 14, 2013, 8:38 p.m.
Message ID <20131014203816.CC16360191@smtp.hushmail.com>
Download mbox | patch
Permalink /patch/283388/
State Not Applicable
Headers show

Comments

mancha - Oct. 14, 2013, 8:38 p.m.
Hello, this came up on freenode's #netfilter today.

ip{,6}tables-save(8), when run as an unprivileged user (who
doesn't have access to /proc/net/ip{,6}_tables_names), displays
no output and returns 0 because of a Boolean inversion.

luser@myhost:~$ iptables-save; echo $? 
0

The patch below changes the return to 1 if fopen() fails.
Additionally, one could add "if (errno == EACCESS)" conditioned
error messages.

--mancha


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira - Oct. 17, 2013, 8:39 a.m.
Hi,

On Mon, Oct 14, 2013 at 08:38:16PM +0000, mancha wrote:
> Hello, this came up on freenode's #netfilter today.
> 
> ip{,6}tables-save(8), when run as an unprivileged user (who
> doesn't have access to /proc/net/ip{,6}_tables_names), displays
> no output and returns 0 because of a Boolean inversion.
> 
> luser@myhost:~$ iptables-save; echo $? 
> 0
> 
> The patch below changes the return to 1 if fopen() fails.
> Additionally, one could add "if (errno == EACCESS)" conditioned
> error messages.

Need your Signed-off-by tag / full name to take this patch, please,
let me know. No need to resend, I'll amend it. Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
mancha - Oct. 17, 2013, 6:10 p.m.
Pablo Neira Ayuso <pablo <at> netfilter.org> writes:
> 
> Need your Signed-off-by tag / full name to take this patch, please,
> let me know. No need to resend, I'll amend it. Thanks.

Hi. Thank you for your email.

As for attribution, my Signed-off-by tag is "mancha". I didn't mean to
add more work for you. In the future I'll submit using git format-patch.

Thanks!

--mancha



--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

--- a/iptables/iptables-save.c  2013-10-14
+++ b/iptables/iptables-save.c  2013-10-14
@@ -40,7 +40,7 @@  static int for_each_table(int (*func)(co

        procfile = fopen("/proc/net/ip_tables_names", "re");
        if (!procfile)
-               return ret;
+               return 0;

        while (fgets(tablename, sizeof(tablename), procfile)) {
                if (tablename[strlen(tablename) - 1] != '\n')
--- a/iptables/ip6tables-save.c 2013-10-14
+++ b/iptables/ip6tables-save.c 2013-10-14
@@ -42,7 +42,7 @@  static int for_each_table(int (*func)(co

        procfile = fopen("/proc/net/ip6_tables_names", "re");
        if (!procfile)
-               return ret;
+               return 0;

        while (fgets(tablename, sizeof(tablename), procfile)) {
                if (tablename[strlen(tablename) - 1] != '\n')