[iptables] iptables: correctly check for too-long chain/target/match names

Patrick McHardy netfilter-cvslog-bounces at lists.netfilter.org
Tue Mar 16 20:04:51 CET 2010 

Gitweb:		http://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=commit;h=21d1283750d9c4df7ca80165d2b9dc0b9bd214eb
commit 21d1283750d9c4df7ca80165d2b9dc0b9bd214eb
Author:     Jan Engelhardt <jengelh at medozas.de>
AuthorDate: Tue Mar 16 16:49:21 2010 +0100
Commit:     Jan Engelhardt <jengelh at medozas.de>
CommitDate: Tue Mar 16 17:54:26 2010 +0100

    iptables: correctly check for too-long chain/target/match names
    
    * iptables-restore was not checking for chain name length
    * iptables was not checking for match name length
    * target length was checked against 32, not 29.
    
    References: http://bugzilla.netfilter.org/show_bug.cgi?id=641
    Signed-off-by: Jan Engelhardt <jengelh at medozas.de>

commit 89b6c32f88be47e83c3f6e7f8fee812088cb8c22
Author:     Jan Engelhardt <jengelh at medozas.de>
AuthorDate: Thu Mar 11 00:49:48 2010 +0100
Commit:     Jan Engelhardt <jengelh at medozas.de>
CommitDate: Thu Mar 11 00:49:48 2010 +0100

    libxt_CT: add a manpage
    
    Signed-off-by: Jan Engelhardt <jengelh at medozas.de>

commit 3324ac52c80a6213b4bafa007f7b566a2f7ba071
Author:     Jan Engelhardt <jengelh at medozas.de>
AuthorDate: Thu Mar 11 00:24:14 2010 +0100
Commit:     Jan Engelhardt <jengelh at medozas.de>
CommitDate: Thu Mar 11 00:24:14 2010 +0100

    libxt_comment: avoid use of IPv4-specific examples
    
    Since libxt_comment.man is included in both iptables.8 and
    ip6tables.8, we should probably try to create examples that do not
    rely on either address family.
    
    References: http://bugs.debian.org/572628
    Signed-off-by: Jan Engelhardt <jengelh at medozas.de>
       via  21d1283750d9c4df7ca80165d2b9dc0b9bd214eb (commit)
       via  89b6c32f88be47e83c3f6e7f8fee812088cb8c22 (commit)
       via  3324ac52c80a6213b4bafa007f7b566a2f7ba071 (commit)
      from  9fdbaa71452edaac9d5906716c15937f670341fa (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 21d1283750d9c4df7ca80165d2b9dc0b9bd214eb
Author: Jan Engelhardt <jengelh at medozas.de>
Date:   Tue Mar 16 16:49:21 2010 +0100

    iptables: correctly check for too-long chain/target/match names
    
    * iptables-restore was not checking for chain name length
    * iptables was not checking for match name length
    * target length was checked against 32, not 29.
    
    References: http://bugzilla.netfilter.org/show_bug.cgi?id=641
    Signed-off-by: Jan Engelhardt <jengelh at medozas.de>

commit 89b6c32f88be47e83c3f6e7f8fee812088cb8c22
Author: Jan Engelhardt <jengelh at medozas.de>
Date:   Thu Mar 11 00:49:48 2010 +0100

    libxt_CT: add a manpage
    
    Signed-off-by: Jan Engelhardt <jengelh at medozas.de>

commit 3324ac52c80a6213b4bafa007f7b566a2f7ba071
Author: Jan Engelhardt <jengelh at medozas.de>
Date:   Thu Mar 11 00:24:14 2010 +0100

    libxt_comment: avoid use of IPv4-specific examples
    
    Since libxt_comment.man is included in both iptables.8 and
    ip6tables.8, we should probably try to create examples that do not
    rely on either address family.
    
    References: http://bugs.debian.org/572628
    Signed-off-by: Jan Engelhardt <jengelh at medozas.de>

-----------------------------------------------------------------------

 extensions/libxt_CT.c        |    2 +-
 extensions/libxt_CT.man      |   25 +++++++++++++++++++++++++
 extensions/libxt_comment.man |    2 +-
 ip6tables-restore.c          |    6 ++++++
 ip6tables.c                  |    4 ++--
 iptables-restore.c           |    6 ++++++
 iptables.c                   |    4 ++--
 xtables.c                    |    5 +++++
 8 files changed, 48 insertions(+), 6 deletions(-)
 create mode 100644 extensions/libxt_CT.man
Since libxt_comment.man is included in both iptables.8 and
ip6tables.8, we should probably try to create examples that do not
rely on either address family.

References: http://bugs.debian.org/572628
Signed-off-by: Jan Engelhardt <jengelh at medozas.de>

diff --git a/extensions/libxt_comment.man b/extensions/libxt_comment.man
index 94f871e..faaee2a 100644
--- a/extensions/libxt_comment.man
+++ b/extensions/libxt_comment.man
@@ -3,4 +3,4 @@ Allows you to add comments (up to 256 characters) to any rule.
 \fB\-\-comment\fP \fIcomment\fP
 .TP
 Example:
-iptables \-A INPUT \-s 192.168.0.0/16 \-m comment \-\-comment "A privatized IP block"
+iptables \-A INPUT \-i eth1 \-m comment \-\-comment "my local LAN"

More information about the netfilter-cvslog mailing list