[iptables] libxt_recent: do not allow both --set and --rttl
Patrick McHardy
netfilter-cvslog-bounces at lists.netfilter.org
Mon Aug 4 12:52:57 CEST 2008
Gitweb: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=commit;h=3c5d15c880c6dca1facf666272fc309b5d307def
commit 3c5d15c880c6dca1facf666272fc309b5d307def
Author: Jan Engelhardt <jengelh at medozas.de>
AuthorDate: Mon Aug 4 12:52:27 2008 +0200
Commit: Patrick McHardy <kaber at trash.net>
CommitDate: Mon Aug 4 12:52:27 2008 +0200
libxt_recent: do not allow both --set and --rttl
Reported-by: Erich Schubert <erich at debian.org>
Reference: Debian bug #346034
"I was using the --rttl option in my --set line; this caused all
incoming ssh connections to be rejected; --rttl is only to be used
with --rcheck and --update."
Signed-off-by: Jan Engelhardt <jengelh at medozas.de>
Signed-off-by: Patrick McHardy <kaber at trash.net>
commit d0cbf5f34d3421064eb0fbbcdc6b90cda4e81f2d
Author: Jan Engelhardt <jengelh at medozas.de>
AuthorDate: Mon Aug 4 12:51:01 2008 +0200
Commit: Patrick McHardy <kaber at trash.net>
CommitDate: Mon Aug 4 12:51:01 2008 +0200
iptables-restore: fix segmentation fault with -tanything
Reference: Debian bug #458042
iptables-restore must not pass a table into do_command. It checks for
"-t arg" and "--table arg", but not "-targ". (On a related note,
using -targ does not work as expected).
This should fail gracefully, but crashes:
iptables-restore <(echo -e '*filter\n-A INPUT -tx\nCOMMIT')
And this should use table "filter", or perhaps raise an error, but
instead sets the table to (literally) "-tfilter":
iptables -tfilter -A INPUT
Signed-off-by: Jan Engelhardt <jengelh at medozas.de>
Signed-off-by: Patrick McHardy <kaber at trash.net>
via 3c5d15c880c6dca1facf666272fc309b5d307def (commit)
via d0cbf5f34d3421064eb0fbbcdc6b90cda4e81f2d (commit)
from 415a8580cc2b053687c197e8e25d606e8420c672 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3c5d15c880c6dca1facf666272fc309b5d307def
Author: Jan Engelhardt <jengelh at medozas.de>
Date: Mon Aug 4 12:52:27 2008 +0200
libxt_recent: do not allow both --set and --rttl
Reported-by: Erich Schubert <erich at debian.org>
Reference: Debian bug #346034
"I was using the --rttl option in my --set line; this caused all
incoming ssh connections to be rejected; --rttl is only to be used
with --rcheck and --update."
Signed-off-by: Jan Engelhardt <jengelh at medozas.de>
Signed-off-by: Patrick McHardy <kaber at trash.net>
commit d0cbf5f34d3421064eb0fbbcdc6b90cda4e81f2d
Author: Jan Engelhardt <jengelh at medozas.de>
Date: Mon Aug 4 12:51:01 2008 +0200
iptables-restore: fix segmentation fault with -tanything
Reference: Debian bug #458042
iptables-restore must not pass a table into do_command. It checks for
"-t arg" and "--table arg", but not "-targ". (On a related note,
using -targ does not work as expected).
This should fail gracefully, but crashes:
iptables-restore <(echo -e '*filter\n-A INPUT -tx\nCOMMIT')
And this should use table "filter", or perhaps raise an error, but
instead sets the table to (literally) "-tfilter":
iptables -tfilter -A INPUT
Signed-off-by: Jan Engelhardt <jengelh at medozas.de>
Signed-off-by: Patrick McHardy <kaber at trash.net>
-----------------------------------------------------------------------
extensions/libipt_recent.c | 33 +++++++++++++++++++++++----------
ip6tables-restore.c | 2 +-
ip6tables.c | 5 ++---
iptables-restore.c | 2 +-
iptables.c | 5 ++---
5 files changed, 29 insertions(+), 18 deletions(-)
Reference: Debian bug #458042
iptables-restore must not pass a table into do_command. It checks for
"-t arg" and "--table arg", but not "-targ". (On a related note,
using -targ does not work as expected).
This should fail gracefully, but crashes:
iptables-restore <(echo -e '*filter\n-A INPUT -tx\nCOMMIT')
And this should use table "filter", or perhaps raise an error, but
instead sets the table to (literally) "-tfilter":
iptables -tfilter -A INPUT
Signed-off-by: Jan Engelhardt <jengelh at medozas.de>
Signed-off-by: Patrick McHardy <kaber at trash.net>
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index cd6dd03..f51e38f 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -406,7 +406,7 @@ int main(int argc, char *argv[])
param_buffer[param_len] = '\0';
/* check if table name specified */
- if (!strncmp(param_buffer, "-t", 3)
+ if (!strncmp(param_buffer, "-t", 2)
|| !strncmp(param_buffer, "--table", 8)) {
exit_error(PARAMETER_PROBLEM,
"Line %u seems to have a "
diff --git a/ip6tables.c b/ip6tables.c
index 2b05392..283a1c2 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -1747,7 +1747,7 @@ int do_command6(int argc, char *argv[], char **table, ip6tc_handle_t *handle)
if (invert)
exit_error(PARAMETER_PROBLEM,
"unexpected ! flag before --table");
- *table = argv[optind-1];
+ *table = optarg;
break;
case 'x':
@@ -1890,8 +1890,7 @@ int do_command6(int argc, char *argv[], char **table, ip6tc_handle_t *handle)
if (!m)
exit_error(PARAMETER_PROBLEM,
- "Unknown arg `%s'",
- argv[optind-1]);
+ "Unknown arg `%s'", optarg);
}
}
invert = FALSE;
diff --git a/iptables-restore.c b/iptables-restore.c
index 4b199d9..dcbed14 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -412,7 +412,7 @@ main(int argc, char *argv[])
param_buffer[param_len] = '\0';
/* check if table name specified */
- if (!strncmp(param_buffer, "-t", 3)
+ if (!strncmp(param_buffer, "-t", 2)
|| !strncmp(param_buffer, "--table", 8)) {
exit_error(PARAMETER_PROBLEM,
"Line %u seems to have a "
diff --git a/iptables.c b/iptables.c
index bf3cbca..41e1836 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1764,7 +1764,7 @@ int do_command(int argc, char *argv[], char **table, iptc_handle_t *handle)
if (invert)
exit_error(PARAMETER_PROBLEM,
"unexpected ! flag before --table");
- *table = argv[optind-1];
+ *table = optarg;
break;
case 'x':
@@ -1911,8 +1911,7 @@ int do_command(int argc, char *argv[], char **table, iptc_handle_t *handle)
}
if (!m)
exit_error(PARAMETER_PROBLEM,
- "Unknown arg `%s'",
- argv[optind-1]);
+ "Unknown arg `%s'", optarg);
}
}
invert = FALSE;
More information about the netfilter-cvslog
mailing list