iptables-restore segfaults

Harald Welte laforge@gnumonks.org
Tue, 16 Oct 2001 09:46:35 +0200

On Sun, Sep 16, 2001 at 04:03:11PM -0700, Ben Reser wrote:

Hi Ben.

First of all, excuse the huge delay.  Seems like everybody (including myself)
was too busy during the last weeks.
> iptables-restore crashes when data that does not conform to the format
> that iptables-save produces.  E.G. when someone gives it data with a -t
> flag in it.  As you can see here:  
> http://www.mail-archive.com/cooker%40linux-mandrake.com/msg42626.html

Ok. I wonder why people blame the distributors for something like this - 
it should be passed on to us...

> I think the problem related double -t flags being put into the argv when
> this occurs.  I tried to patch this but frankly I'm not really familiar
> enough with the way the parser is setup to do this.

You are right.  The double -t is problematic.  Theoretically this would 
be legal (it should work on a "iptables -t ... -t ..." line [i guess the last
table is used]), it cannot work.  The whole set of rules between


Is commited as one transaction into the kernel.  And a single operation can
only work on a single table.

> As a result I caught the problem (which only really effects
> iptables-restore anyway) in iptables-restore.  The patch which is
> attached makes iptables-restore emit an error message when it gets data
> that might cause it crash.

ok. I'll consider your patch, though I'm not sure if there is a more clean
way of solving the problem.  Maybe the iptables core should refuse taking
two "-t " options at all.

> Ben Reser <ben@reser.org>

Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)