patch for bug in libipt_REJECT.c:save() in iptables 1.2.2

[Jed Davis]

The save() function in the module for the REJECT match in iptables
1.2.2 (debian-version 2; the debian patch doesn't touch this code)
assumed that the values in enum ipt_reject_with would work for
indexing into the reject_table array; for anything beyond the
#if'ed-out IPT_ICMP_ECHOREPLY, this is not the case.  For instance, a
rule that specifies "--reject-with tcp-reset" was saved as
"--reject-with reject-with", which iptables-restore choked on, because
IPT_TCP_RESET (the last value in the enum) was off the end of the
array (!).

The print() function, immediately above, used a loop to see which
element of reject_table has the correct "with" field; I copied the
loop into save, and this is the resulting diff:

-->8--begin diff-->8--
--- extensions/libipt_REJECT.c.old      Mon Dec 18 00:09:52 2000
+++ extensions/libipt_REJECT.c  Sun Jul  8 19:25:07 2001
@@ -146,8 +146,13 @@
 {
        const struct ipt_reject_info *reject
                = (const struct ipt_reject_info *)target->data;
+       unsigned int i;
 
-       printf("--reject-with %s ", reject_table[reject->with].name);
+       for (i = 0; i < sizeof(reject_table)/sizeof(struct reject_names); i++) {
+               if (reject_table[i].with == reject->with)
+                       break;
+       }
+       printf("--reject-with %s ", reject_table[i].name);
 }
 
 struct iptables_target reject
--8<--end diff--8<--

With this modification, the rule I have that specifies --reject-with
tcp-reset is saved correctly and restored successfully.  

--Jed Davis

-- 
"But life wasn't yes-no, on-off.  Life was shades of gray, and rainbows
not in the order of the spectrum."   -- L. E. Modesitt, Jr., _Adiamante_

sub f{(($n,$d,@_)=@_)?(substr(" ExhortJavelinBus",$n&&$d/$n,1),$n?f($d%$n,$
n,@_):&f):("\n")}print f 1461,10324,55001,444162,1208,1341,5660480,79715997