[iptables PATCH] xshared: Fix for extra --list options with --zero

Phil Sutter <phil@xxxxxx> · Fri, 10 Jan 2025 19:22:04 +0100

With commit 9c09d28102bb4 ("xshared: Simplify generic_opt_check()"),
iptables started to reject list-specific options (--numeric, --exact,
--line-numbers) if --zero was also specified: The old
generic_opt_check() implementation ignored a command's reject of an
option if an earlier command (decided by the numeric CMD_* value) had
accepted it already.

Instead of replicating the old logic and introducing an inner loop over
the bits in 'command', simply expand the respective 'options_v_commands'
fields. As a side-effect, this will make iptables accept but ignore
these list-specific options when only --zero command was specified.

Reported-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
Fixes: 9c09d28102bb4 ("xshared: Simplify generic_opt_check()")
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 iptables/xshared.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/iptables/xshared.c b/iptables/xshared.c
index 2f663f9762016..cf73890ac9f86 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -943,16 +943,16 @@ static void parse_rule_range(struct xt_cmd_parse *p, const char *argv)
 #define CMD_IDRAC	CMD_INSERT | CMD_DELETE | CMD_REPLACE | \
 			CMD_APPEND | CMD_CHECK | CMD_CHANGE_COUNTERS
 static const unsigned int options_v_commands[NUMBER_OF_OPT] = {
-/*OPT_NUMERIC*/		CMD_LIST,
+/*OPT_NUMERIC*/		CMD_LIST | CMD_ZERO | CMD_ZERO_NUM,
 /*OPT_SOURCE*/		CMD_IDRAC,
 /*OPT_DESTINATION*/	CMD_IDRAC,
 /*OPT_PROTOCOL*/	CMD_IDRAC,
 /*OPT_JUMP*/		CMD_IDRAC,
 /*OPT_VERBOSE*/		UINT_MAX,
-/*OPT_EXPANDED*/	CMD_LIST,
+/*OPT_EXPANDED*/	CMD_LIST | CMD_ZERO | CMD_ZERO_NUM,
 /*OPT_VIANAMEIN*/	CMD_IDRAC,
 /*OPT_VIANAMEOUT*/	CMD_IDRAC,
-/*OPT_LINENUMBERS*/	CMD_LIST,
+/*OPT_LINENUMBERS*/	CMD_LIST | CMD_ZERO | CMD_ZERO_NUM,
 /*OPT_COUNTERS*/	CMD_INSERT | CMD_REPLACE | CMD_APPEND | CMD_SET_POLICY,
 /*OPT_FRAGMENT*/	CMD_IDRAC,
 /*OPT_S_MAC*/		CMD_IDRAC,
@@ -963,9 +963,9 @@ static const unsigned int options_v_commands[NUMBER_OF_OPT] = {
 /*OPT_P_TYPE*/		CMD_IDRAC,
 /*OPT_LOGICALIN*/	CMD_IDRAC,
 /*OPT_LOGICALOUT*/	CMD_IDRAC,
-/*OPT_LIST_C*/		CMD_LIST,
-/*OPT_LIST_X*/		CMD_LIST,
-/*OPT_LIST_MAC2*/	CMD_LIST,
+/*OPT_LIST_C*/		CMD_LIST | CMD_ZERO | CMD_ZERO_NUM,
+/*OPT_LIST_X*/		CMD_LIST | CMD_ZERO | CMD_ZERO_NUM,
+/*OPT_LIST_MAC2*/	CMD_LIST | CMD_ZERO | CMD_ZERO_NUM,
 };
 #undef CMD_IDRAC
 
-- 
2.47.1








