Tue, 16 Oct 2001 09:46:35 +0200
On Sun, Sep 16, 2001 at 04:03:11PM -0700, Ben Reser wrote:
First of all, excuse the huge delay. Seems like everybody (including myself)
was too busy during the last weeks.
> iptables-restore crashes when data that does not conform to the format
> that iptables-save produces. E.G. when someone gives it data with a -t
> flag in it. As you can see here:
Ok. I wonder why people blame the distributors for something like this -
it should be passed on to us...
> I think the problem related double -t flags being put into the argv when
> this occurs. I tried to patch this but frankly I'm not really familiar
> enough with the way the parser is setup to do this.
You are right. The double -t is problematic. Theoretically this would
be legal (it should work on a "iptables -t ... -t ..." line [i guess the last
table is used]), it cannot work. The whole set of rules between
Is commited as one transaction into the kernel. And a single operation can
only work on a single table.
> As a result I caught the problem (which only really effects
> iptables-restore anyway) in iptables-restore. The patch which is
> attached makes iptables-restore emit an error message when it gets data
> that might cause it crash.
ok. I'll consider your patch, though I'm not sure if there is a more clean
way of solving the problem. Maybe the iptables core should refuse taking
two "-t " options at all.
> Ben Reser <email@example.com>
Live long and prosper
- Harald Welte / firstname.lastname@example.org http://www.gnumonks.org/
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M-
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)