[PATCH] disallow multiple matches of same type
Phil Oester
kernel at linuxace.com
Mon Feb 20 06:54:21 CET 2006
In latest iptables SVN, the command:
iptables -A foo -p tcp -m multiport --dport 45,47 -m multiport --sport 45:48
ends up with mangled results of:
... multiport sports multiport sports tcp spts:45:48
Since at present, iptables can only handle one match of a given type
per rule. The below patch makes sure we disallow more than one.
This closes bugzilla #447
Phil
-------------- next part --------------
--- ipt-orig/iptables.c 2006-02-11 01:50:11.000000000 -0800
+++ ipt-new/iptables.c 2006-02-19 21:46:03.000000000 -0800
@@ -2125,6 +2125,11 @@
exit_error(PARAMETER_PROBLEM,
"unexpected ! flag before --match");
+ for (matchp = matches; matchp; matchp = matchp->next) {
+ if (strcmp(optarg, matchp->match->name) == 0)
+ exit_error(PARAMETER_PROBLEM,
+ "multiple matches of same type not supported");
+ }
m = find_match(optarg, LOAD_MUST_SUCCEED, &matches);
size = IPT_ALIGN(sizeof(struct ipt_entry_match))
+ m->size;
More information about the netfilter-devel
mailing list