[PATCH] multiport does not support invert

Patrick McHardy kaber at trash.net
Sat Sep 18 19:44:07 CEST 2004 

Phil Oester wrote:

>A few weeks back I submitted a patch to document the invert option
>of multiport, without noticing that it doesn't actually support invert.
>I've looked at it, and it is a compatibility nightmare to try to add
>support for it while still supporting old kernel/userspace.
>
>So, here's a patch to throw an error on this:
>
>    iptables -A FORWARD -m multiport -p tcp ! --dport 1,2,3 -j DROP
>
>instead of silently accepting it and potentially causing issues.
>
Thanks, but your patch doesn't catch all cases:

# iptables -p tcp -m multiport ! --port 1
iptables v1.3.0: multiport does not support invert
Try `iptables -h' or 'iptables --help' for more information.
# iptables -p tcp -m multiport --port ! 1
iptables v1.3.0: invalid port/service `!' specified
Try `iptables -h' or 'iptables --help' for more information.

I've applied this patch, which gives:

# iptables -p tcp -m multiport ! --port 1
iptables v1.3.0: multiport does not support invert
Try `iptables -h' or 'iptables --help' for more information.
# iptables -p tcp -m multiport --port ! 1
iptables v1.3.0: multiport does not support invert
Try `iptables -h' or 'iptables --help' for more information.

Regards
Patrick

-------------- next part --------------
Index: extensions/libip6t_multiport.c
===================================================================
RCS file: /cvsroot/iptables/extensions/libip6t_multiport.c,v
retrieving revision 1.5
diff -u -r1.5 libip6t_multiport.c
--- extensions/libip6t_multiport.c	14 Jul 2003 20:01:29 -0000	1.5
+++ extensions/libip6t_multiport.c	18 Sep 2004 17:41:47 -0000
@@ -112,6 +112,7 @@
 
 	switch (c) {
 	case '1':
+		check_inverse(argv[optind-1], &invert, &optind, 0);
 		proto = check_proto(entry);
 		multiinfo->count = parse_multi_ports(argv[optind-1],
 						     multiinfo->ports, proto);
@@ -120,6 +121,7 @@
 		break;
 
 	case '2':
+		check_inverse(argv[optind-1], &invert, &optind, 0);
 		proto = check_proto(entry);
 		multiinfo->count = parse_multi_ports(argv[optind-1],
 						     multiinfo->ports, proto);
@@ -128,6 +130,7 @@
 		break;
 
 	case '3':
+		check_inverse(argv[optind-1], &invert, &optind, 0);
 		proto = check_proto(entry);
 		multiinfo->count = parse_multi_ports(argv[optind-1],
 						     multiinfo->ports, proto);
@@ -138,6 +141,10 @@
 	default:
 		return 0;
 	}
+
+	if (invert)
+		exit_error(PARAMETER_PROBLEM,
+			   "multiport does not support invert");
 
 	if (*flags)
 		exit_error(PARAMETER_PROBLEM,
Index: extensions/libipt_mport.c
===================================================================
RCS file: /cvsroot/iptables/extensions/libipt_mport.c,v
retrieving revision 1.6
diff -u -r1.6 libipt_mport.c
--- extensions/libipt_mport.c	14 Jul 2003 20:01:29 -0000	1.6
+++ extensions/libipt_mport.c	18 Sep 2004 17:41:48 -0000
@@ -136,6 +136,7 @@
 
 	switch (c) {
 	case '1':
+		check_inverse(argv[optind-1], &invert, &optind, 0);
 		proto = check_proto(entry);
 		parse_multi_ports(argv[optind-1], minfo, proto);
 		minfo->flags = IPT_MPORT_SOURCE;
@@ -143,6 +144,7 @@
 		break;
 
 	case '2':
+		check_inverse(argv[optind-1], &invert, &optind, 0);
 		proto = check_proto(entry);
 		parse_multi_ports(argv[optind-1], minfo, proto);
 		minfo->flags = IPT_MPORT_DESTINATION;
@@ -150,6 +152,7 @@
 		break;
 
 	case '3':
+		check_inverse(argv[optind-1], &invert, &optind, 0);
 		proto = check_proto(entry);
 		parse_multi_ports(argv[optind-1], minfo, proto);
 		minfo->flags = IPT_MPORT_EITHER;
@@ -159,6 +162,10 @@
 	default:
 		return 0;
 	}
+
+	if (invert)
+		exit_error(PARAMETER_PROBLEM,
+			   "multiport does not support invert");
 
 	if (*flags)
 		exit_error(PARAMETER_PROBLEM,
Index: extensions/libipt_multiport.c
===================================================================
RCS file: /cvsroot/iptables/extensions/libipt_multiport.c,v
retrieving revision 1.7
diff -u -r1.7 libipt_multiport.c
--- extensions/libipt_multiport.c	14 Jul 2003 20:01:29 -0000	1.7
+++ extensions/libipt_multiport.c	18 Sep 2004 17:41:48 -0000
@@ -112,6 +112,7 @@
 
 	switch (c) {
 	case '1':
+		check_inverse(argv[optind-1], &invert, &optind, 0);
 		proto = check_proto(entry);
 		multiinfo->count = parse_multi_ports(argv[optind-1],
 						     multiinfo->ports, proto);
@@ -120,6 +121,7 @@
 		break;
 
 	case '2':
+		check_inverse(argv[optind-1], &invert, &optind, 0);
 		proto = check_proto(entry);
 		multiinfo->count = parse_multi_ports(argv[optind-1],
 						     multiinfo->ports, proto);
@@ -128,6 +130,7 @@
 		break;
 
 	case '3':
+		check_inverse(argv[optind-1], &invert, &optind, 0);
 		proto = check_proto(entry);
 		multiinfo->count = parse_multi_ports(argv[optind-1],
 						     multiinfo->ports, proto);
@@ -138,6 +141,10 @@
 	default:
 		return 0;
 	}
+
+	if (invert)
+		exit_error(PARAMETER_PROBLEM,
+			   "multiport does not support invert");
 
 	if (*flags)
 		exit_error(PARAMETER_PROBLEM,

More information about the netfilter-devel mailing list