[netfilter-cvslog] r6644 - trunk/iptables

kaber at netfilter.org kaber at netfilter.org
Mon Jul 10 06:52:59 CEST 2006


Author: kaber at netfilter.org
Date: 2006-07-10 06:52:56 +0200 (Mon, 10 Jul 2006)
New Revision: 6644

Modified:
   trunk/iptables/iptables.c
Log:
[PATCH] iptables: handle cidr notation more sanely (Phil Oester <kernel at linuxace.com>)

At present, a command such as

iptables -A foo -s 10.10/16

will interpret 10.10/16 as 10.0.0.10/16, and after applying the mask end
up with 10.0.0.0/16, which likely isn't what the user intended.  Yet
some people do expect 10.10 (without the cidr notation) to end up as
10.0.0.10.

The below patch should satisfy all parties.  It zero pads the missing
octets only in the cidr case, leaving the IP untouched otherwise.

This resolves bug #422


Modified: trunk/iptables/iptables.c
===================================================================
--- trunk/iptables/iptables.c	2006-07-07 04:38:12 UTC (rev 6643)
+++ trunk/iptables/iptables.c	2006-07-10 04:52:56 UTC (rev 6644)
@@ -583,6 +583,34 @@
 	return (char *) NULL;
 }
 
+static void 
+pad_cidr(char *cidr)
+{
+	char *p, *q;
+	unsigned int onebyte;
+	int i, j;
+	char buf[20];
+
+	/* copy dotted string, because we need to modify it */
+	strncpy(buf, cidr, sizeof(buf) - 1);
+	buf[sizeof(buf) - 1] = '\0';
+
+	p = buf;
+	for (i = 0; i <= 3; i++) {
+		if ((q = strchr(p, '.')) == NULL)
+			break;
+		*q = '\0';
+		if (string_to_number(p, 0, 255, &onebyte) == -1)
+			return;
+		p = q + 1;
+	}
+
+	/* pad remaining octets with zeros */
+	for (j = i; j < 3; j++) {
+		strcat(cidr, ".0");
+	}
+}
+
 /*
  *	All functions starting with "parse" should succeed, otherwise
  *	the program fails.
@@ -651,6 +679,8 @@
 	if ((p = strrchr(buf, '/')) != NULL) {
 		*p = '\0';
 		addrp = parse_mask(p + 1);
+		if (strrchr(p + 1, '.') == NULL)
+			pad_cidr(buf);
 	} else
 		addrp = parse_mask(NULL);
 	inaddrcpy(maskp, addrp);




More information about the netfilter-cvslog mailing list