iptables-restore segfaults

Ben Reser ben@reser.org
Tue, 16 Oct 2001 01:11:05 -0700


On Tue, Oct 16, 2001 at 09:46:35AM +0200, Harald Welte wrote:
> First of all, excuse the huge delay.  Seems like everybody (including myself)
> was too busy during the last weeks.

It's no problem.  I understand how that goes.

> Ok. I wonder why people blame the distributors for something like this - 
> it should be passed on to us...

Yeah well I am on Mandrake's security team and when we put out the
update to fix some other security issue in iptables I managed to figure
this issue out and then pass it along to you guys.  Some users don't
understand the idea of directly letting you know.

> You are right.  The double -t is problematic.  Theoretically this would 
> be legal (it should work on a "iptables -t ... -t ..." line [i guess the last
> table is used]), it cannot work.  The whole set of rules between
> 
> *nat
> ...
> COMMIT
> 
> Is commited as one transaction into the kernel.  And a single operation can
> only work on a single table.

This would explain why my work arounds of removing the automatically
generated -t if there was already one present.  And explains why I found
the parser very confusing.

> ok. I'll consider your patch, though I'm not sure if there is a more clean
> way of solving the problem.  Maybe the iptables core should refuse taking
> two "-t " options at all.

I'm not sure.  I did what I did as a quick work around.  I tried mucking
around with the core but I'm just not familiar enough with the whole
system to be very effective.

-- 
Ben Reser <ben@reser.org>
http://ben.reser.org

"To fight and conquer in all our battles is not supreme excellence. 
Supreme excellence consists in breaking the enemy's resistance without
fighting." -Chinese philosopher Sun Tzu