History log of /external/iptables/iptables/iptables-restore.c
Revision Date Author Comments (<<< Hide modified files) (Show modified files >>>)
d7aeda5ed45ac7ca959f12180690caa371b5b14b 08-Jul-2013 Pablo Neira Ayuso <pablo@netfilter.org> ip{6}tables-restore: fix breakage due to new locking approach

Since (93587a0 ip[6]tables: Add locking to prevent concurrent instances),
ip{6}tables-restore does not work anymore:

iptables-restore < x
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

do_command{6}(...) is called from ip{6}tables-restore for every iptables
command contained in the rule-set file. Thus, hitting the lock error
after the second command.

Fix it by bypassing the locking in the ip{6}tables-restore path.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/iptables-restore.c
23a98b56935c42ef460020e37a9ff8006eee58e2 03-Aug-2012 Pablo Neira Ayuso <pablo@netfilter.org> ip[6]tables-restore: cleanup to reduce one level of indentation

This patch moves the parameter parsing to one function to reduce
one level of indentation. Jan Engelhardt likes this.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/iptables-restore.c
c5300d11308ccb429d551c32dffe752575c30b77 17-Jun-2012 Jan Engelhardt <jengelh@inai.de> iptables-restore: warn about -t in rule lines

save-restore syntax uses *table, not -t table.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/iptables-restore.c
2165f38d2582e88e8a9dd9416f34eca7a7672e5a 30-Jul-2012 Pablo Neira Ayuso <pablo@netfilter.org> iptables-restore: fix parameter parsing (shows up with gcc-4.7)

This patch fixes parameter parsing in iptables-restore since time ago. The
problem has shown up with gcc-4.7. This version of gcc seem to perform more
agressive memory management than previous.

Peter Lekensteyn provided the following sample code similar to the one
in iptables-restore:

int i = 0;

for (;;) {
char x[5];

x[i] = '0' + i;
if (++i == 4) {
x[i] = '\0'; /* terminate string with null byte */
printf("%s\n", x);
break;
}
}

Many may expect 0123 as output. But GCC 4.7 does not do that when compiling
with optimization enabled (-O1 and higher). It instead puts random data in the
first bytes of the character array, which becomes:

| 0 | 1 | 2 | 3 | 4 |
| RANDOM | '3' | '\0' |

Since the array is declared inside the scope of loop's body, you can think of
it as of a new array being allocated in the automatic storage area for each
loop iteration.

The correct code should be:

char x[5];

for (;;) {
x[i] = '0' + i;
if (++i == 4) {
x[i] = '\0'; /* terminate string with null byte */
printf("%s\n", x);
break;
}
}

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/iptables-restore.c
f1c668268e9ddaedd8d78d7ae44cd26db1e8469f 30-Jul-2012 Pablo Neira Ayuso <pablo@netfilter.org> Revert "iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)"

This reverts commit 44191bdbd71e685fba9eab864b9df25e63905220.

Apply instead a patch that really clarifies the bug in iptables-restore.
This should be good for the record (specifically, for distributors so
they can find the fix by googling).
/external/iptables/iptables/iptables-restore.c
44191bdbd71e685fba9eab864b9df25e63905220 23-Jul-2012 Pablo Neira Ayuso <pablo@netfilter.org> iptables-restore: move code to add_param_to_argv, cleanup (fix gcc-4.7)

This patch seems to be a mere cleanup that moves the parameter parsing
code to add_param_to_argv.

But, in reality, it also fixes iptables when compiled with gcc-4.7.

Moving param_buffer declaration out of the loop seems to resolve the
issue. gcc-4.7 seems to be generating bad code regarding param_buffer.

@@ -380,9 +380,9 @@
quote_open = 0;
escaped = 0;
param_len = 0;
+ char param_buffer[1024];

for (curchar = parsestart; *curchar; curchar++) {
- char param_buffer[1024];

if (quote_open) {
if (escaped) {

But I have hard time to apply this patch in such a way. Instead, I came
up with the idea of this cleanup, which does not harm after all (and fixes
the issue for us).

Someone in:

https://bugzilla.redhat.com/show_bug.cgi?id=82579

put some light on this:

"Yes, I ran into this too. The issue is that the gcc optimizer is
optimizing out the code that collects quoted strings in
iptables-restore.c at line 396. If inside a quotemark and it hasn't
seen another one yet, it executes

param_buffer[param_len++] = *curchar;
continue;

At -O1 or higher, the write to param_buffer[] never happens. It just
increments param_len and continues.

Moving the definition of char param_buffer[1024]; outside the loop
fixes it. Why, I'm not sure. Defining the param_buffer[] inside the
loop should simply restrict its scope to inside the loop."

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/iptables-restore.c
cb999dfdaf25d5a774d2ee84cb99355438d57c93 10-May-2012 Florian Westphal <fw@strlen.de> ip(6)tables-restore: make sure argv is NULL terminated

Else, argv[argc] may point to free'd memory.

Some extensions, e.g. rateest, may fail to parse valid input
because argv[optind] (with optind == argc) is not NULL.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
/external/iptables/iptables/iptables-restore.c
0ab10b11093ec250b404e3bead1d39177d1cbfa0 27-Aug-2011 Jan Engelhardt <jengelh@medozas.de> ip6tables-restore: make code look alike with iptables-restore

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/iptables-restore.c
14da56743c6cdf25da35b7b5ca7a5d201771990d 27-Aug-2011 Jan Engelhardt <jengelh@medozas.de> src: resolve old macro names that are indirections

Command used:

git grep -f <(pcregrep -hior
'(?<=#define\s)IP6?(T_\w+)(?=\s+X\1)' include/)

and then fix all occurrences.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/iptables-restore.c
1639fe86579f86f5f6a954a9b0adde2e16ad1980 27-Aug-2011 Jan Engelhardt <jengelh@medozas.de> libiptc: combine common types: _handle

No real API/ABI change incurred, since the definition of the structs'
types is not visible anyhow.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/iptables-restore.c
f643eb37e49a212d40eb060bcdfafbc366c0d616 26-Aug-2011 Jan Engelhardt <jengelh@medozas.de> src: remove unused IPTABLES_MULTI define

This dead code has been lingering around since commit v1.4.5~7.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/iptables-restore.c
ee80faf4438102395bc4034894b6468453181be9 10-Jun-2011 Jiri Popelka <jpopelka@redhat.com> iptables: Coverity: REVERSE_INULL

ip6tables-restore.c:186: deref_ptr_in_call: Dereferencing pointer "in".
ip6tables-restore.c:463: check_after_deref: Dereferencing "in"
before a null check.
iptables-restore.c:192: deref_ptr_in_call: Dereferencing pointer "in".
iptables-restore.c:468: check_after_deref: Dereferencing "in" before a
null check.
iptables-xml.c:671: deref_ptr_in_call: Dereferencing pointer "in".
iptables-xml.c:873: check_after_deref: Dereferencing "in" before a
null check.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/iptables-restore.c
033e25a3ad215ee3f5a07f0a3315f74c4abfaced 07-Jun-2011 Jan Engelhardt <jengelh@medozas.de> src: move all iptables pieces into a separate directory

(Unclutter top-level dir)

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
/external/iptables/iptables/iptables-restore.c