[Bug 1112] New: xtables-compat-multi fails to parse comments

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Fri Jan 13 01:21:49 CET 2017 

https://bugzilla.netfilter.org/show_bug.cgi?id=1112

            Bug ID: 1112
           Summary: xtables-compat-multi fails to parse comments
           Product: iptables
           Version: CVS (please indicate timestamp)
          Hardware: x86_64
                OS: Gentoo
            Status: NEW
          Severity: minor
          Priority: P5
         Component: unknown
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: hidekiai at HAI-TechWares.com

Either via 'iptables-translate' (standalone) or 'iptables-restore-translate -f'
(both are softlinks to xtables-compat-multi), when '-m comment --comment "some
comment with quotes"' is part of the match rule, the jump verdict is appended
to the ending quote.

For example:
# iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 -d
192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar"
nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16
tcp sport 80 counter comment \"foobar\"jump LONGNACCEPT

Note that even without comment with double-quotes (i.e. --comment "foobar"), it
will add quotes:

# iptables-translate -A FORWARD -p tcp -m tcp --sport http -s 192.168.0.0/16 -d
192.168.0.0/16 -j DROP -m comment --comment singlecomment
nft add rule ip filter FORWARD ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16
tcp sport 80 counter comment \"singlecomment\"drop

Attempting to apply the translated/generated rule will result to:

# nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16
tcp sport 80 counter comment \"foobar\"jump LONGNACCEPT
<cmdline>:1:111-114: Error: syntax error, unexpected jump, expecting end of
file or newline or semicolon
add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp
sport 80 counter comment "foobar"jump LONGNACCEPT
                                                                               
                              ^^^^

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170113/50c1f0c3/attachment.html>

More information about the netfilter-buglog mailing list