On Wednesday 30 May 2007, Pablo Neira Ayuso wrote: > Jan Engelhardt wrote: > > cc nf-dev > > > > On May 29 2007 06:34, Andrew Schulman wrote: > >> For the archive, Massimilano Hofer sent me the attached patch, which > >> solves the problem. It seems that this patch should be merged into > >> iptables. > > I don't find this patch in the archives, did it get lost or never post > it to netfilter-devel? Massimiliano? Sorry for the dalay. I couldn't read the mailing list in the last several weeks. I sent my patch several months ago, but received no reply. I suppose it got lost in the noise. I attach it again. Just a few fixes and a little tidying. I have no objections to Jan's variants. Choose the one you like better. -- Saluti, Massimiliano Hofer
diff -Nru iptables-1.3.5-20060922.orig/extensions/.condition-test iptables-1.3.5-20060922.new/extensions/.condition-test --- iptables-1.3.5-20060922.orig/extensions/.condition-test 2002-11-02 16:00:15.000000000 +0100 +++ iptables-1.3.5-20060922.new/extensions/.condition-test 2006-09-26 12:56:01.000000000 +0200 @@ -1,3 +1,5 @@ #!/bin/sh # True if condition is applied. -[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h ] && echo condition +( [ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_condition.h ] || + [ -f $KERNEL_DIR/include/linux/netfilter/xt_condition.h ] ) && + echo condition diff -Nru iptables-1.3.5-20060922.orig/extensions/.condition-test6 iptables-1.3.5-20060922.new/extensions/.condition-test6 --- iptables-1.3.5-20060922.orig/extensions/.condition-test6 2003-02-25 12:54:56.000000000 +0100 +++ iptables-1.3.5-20060922.new/extensions/.condition-test6 2006-09-26 12:55:23.000000000 +0200 @@ -1,3 +1,5 @@ #!/bin/sh # True if condition6 is applied. -[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_condition.h ] && echo condition +( [ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_condition.h ] || + [ -f $KERNEL_DIR/include/linux/netfilter/xt_condition.h ] ) && + echo condition diff -Nru iptables-1.3.5-20060922.orig/extensions/libip6t_condition.c iptables-1.3.5-20060922.new/extensions/libip6t_condition.c --- iptables-1.3.5-20060922.orig/extensions/libip6t_condition.c 2005-02-14 14:13:04.000000000 +0100 +++ iptables-1.3.5-20060922.new/extensions/libip6t_condition.c 2006-09-26 13:04:09.000000000 +0200 @@ -6,7 +6,14 @@ #include <ip6tables.h> #include<linux/netfilter_ipv6/ip6_tables.h> + +#ifndef _X_TABLES_H #include<linux/netfilter_ipv6/ip6t_condition.h> +#define condition_info condition6_info +#define CONDITION_NAME_LEN CONDITION6_NAME_LEN +#else +#include<linux/netfilter/xt_condition.h> +#endif static void @@ -29,8 +36,12 @@ const struct ip6t_entry *entry, unsigned int *nfcache, struct ip6t_entry_match **match) { - struct condition6_info *info = - (struct condition6_info *) (*match)->data; + static const char * const forbidden_names[]={ "", ".", ".." }; + const char *name; + int i; + + struct condition_info *info = + (struct condition_info *) (*match)->data; if (c == 'X') { if (*flags) @@ -39,12 +50,26 @@ check_inverse(optarg, &invert, &optind, 0); - if (strlen(argv[optind - 1]) < CONDITION6_NAME_LEN) - strcpy(info->name, argv[optind - 1]); - else + name = argv[optind - 1]; + /* We don't want a '/' in a proc file name. */ + for (i=0; i < CONDITION_NAME_LEN && name[i] != '\0'; i++) + if (name[i] == '/') + exit_error(PARAMETER_PROBLEM, + "Can't have a '/' in a condition name"); + + /* We can't handle file names longer than CONDITION_NAME_LEN and */ + /* we want a NULL terminated string. */ + if (i == CONDITION_NAME_LEN) exit_error(PARAMETER_PROBLEM, "File name too long"); + /* We don't want certain reserved names. */ + for (i=0; i < sizeof(forbidden_names)/sizeof(char *); i++) + if(strcmp(name, forbidden_names[i])==0) + exit_error(PARAMETER_PROBLEM, + "Forbidden condition name"); + + strcpy(info->name, name); info->invert = invert; *flags = 1; return 1; @@ -67,8 +92,8 @@ print(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match, int numeric) { - const struct condition6_info *info = - (const struct condition6_info *) match->data; + const struct condition_info *info = + (const struct condition_info *) match->data; printf("condition %s%s ", (info->invert) ? "!" : "", info->name); } @@ -78,8 +103,8 @@ save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match) { - const struct condition6_info *info = - (const struct condition6_info *) match->data; + const struct condition_info *info = + (const struct condition_info *) match->data; printf("--condition %s\"%s\" ", (info->invert) ? "! " : "", info->name); } @@ -88,8 +113,8 @@ static struct ip6tables_match condition = { .name = "condition", .version = IPTABLES_VERSION, - .size = IP6T_ALIGN(sizeof(struct condition6_info)), - .userspacesize = IP6T_ALIGN(sizeof(struct condition6_info)), + .size = IP6T_ALIGN(sizeof(struct condition_info)), + .userspacesize = IP6T_ALIGN(sizeof(struct condition_info)), .help = &help, .parse = &parse, .final_check = &final_check, diff -Nru iptables-1.3.5-20060922.orig/extensions/libip6t_condition.man iptables-1.3.5-20060922.new/extensions/libip6t_condition.man --- iptables-1.3.5-20060922.orig/extensions/libip6t_condition.man 2006-01-30 09:50:09.000000000 +0100 +++ iptables-1.3.5-20060922.new/extensions/libip6t_condition.man 2006-09-26 09:31:40.000000000 +0200 @@ -1,4 +1,4 @@ This matches if a specific /proc filename is '0' or '1'. .TP .BR "--condition " "[!] \fIfilename" -Match on boolean value stored in /proc/net/ip6t_condition/filename file +Match on boolean value stored in /proc/net/nf_condition/filename file diff -Nru iptables-1.3.5-20060922.orig/extensions/libipt_condition.c iptables-1.3.5-20060922.new/extensions/libipt_condition.c --- iptables-1.3.5-20060922.orig/extensions/libipt_condition.c 2005-02-14 14:13:04.000000000 +0100 +++ iptables-1.3.5-20060922.new/extensions/libipt_condition.c 2006-09-26 12:01:57.000000000 +0200 @@ -6,7 +6,12 @@ #include <iptables.h> #include<linux/netfilter_ipv4/ip_tables.h> + +#ifndef _X_TABLES_H #include<linux/netfilter_ipv4/ipt_condition.h> +#else +#include<linux/netfilter/xt_condition.h> +#endif static void @@ -29,6 +34,10 @@ const struct ipt_entry *entry, unsigned int *nfcache, struct ipt_entry_match **match) { + static const char * const forbidden_names[]={ "", ".", ".." }; + const char *name; + int i; + struct condition_info *info = (struct condition_info *) (*match)->data; @@ -39,12 +48,26 @@ check_inverse(optarg, &invert, &optind, 0); - if (strlen(argv[optind - 1]) < CONDITION_NAME_LEN) - strcpy(info->name, argv[optind - 1]); - else + name = argv[optind - 1]; + /* We don't want a '/' in a proc file name. */ + for (i=0; i < CONDITION_NAME_LEN && name[i] != '\0'; i++) + if (name[i] == '/') + exit_error(PARAMETER_PROBLEM, + "Can't have a '/' in a condition name"); + + /* We can't handle file names longer than CONDITION_NAME_LEN and */ + /* we want a NULL terminated string. */ + if (i == CONDITION_NAME_LEN) exit_error(PARAMETER_PROBLEM, "File name too long"); + /* We don't want certain reserved names. */ + for (i=0; i < sizeof(forbidden_names)/sizeof(char *); i++) + if(strcmp(name, forbidden_names[i])==0) + exit_error(PARAMETER_PROBLEM, + "Forbidden condition name"); + + strcpy(info->name, name); info->invert = invert; *flags = 1; return 1; diff -Nru iptables-1.3.5-20060922.orig/extensions/libipt_condition.man iptables-1.3.5-20060922.new/extensions/libipt_condition.man --- iptables-1.3.5-20060922.orig/extensions/libipt_condition.man 2006-01-30 09:50:09.000000000 +0100 +++ iptables-1.3.5-20060922.new/extensions/libipt_condition.man 2006-09-26 09:31:42.000000000 +0200 @@ -1,4 +1,4 @@ This matches if a specific /proc filename is '0' or '1'. .TP .BI "--condition " "[!] \fIfilename\fP" -Match on boolean value stored in /proc/net/ipt_condition/filename file +Match on boolean value stored in /proc/net/nf_condition/filename file