bugzilla-daemon at netfilter.org
2017-Jan-13 00:21 UTC
[Bug 1112] New: xtables-compat-multi fails to parse comments
https://bugzilla.netfilter.org/show_bug.cgi?id=1112
Bug ID: 1112
Summary: xtables-compat-multi fails to parse comments
Product: iptables
Version: CVS (please indicate timestamp)
Hardware: x86_64
OS: Gentoo
Status: NEW
Severity: minor
Priority: P5
Component: unknown
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: hidekiai at HAI-TechWares.com
Either via 'iptables-translate' (standalone) or
'iptables-restore-translate -f'
(both are softlinks to xtables-compat-multi), when '-m comment --comment
"some
comment with quotes"' is part of the match rule, the jump verdict is
appended
to the ending quote.
For example:
# iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 -d
192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar"
nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16
tcp sport 80 counter comment \"foobar\"jump LONGNACCEPT
Note that even without comment with double-quotes (i.e. --comment
"foobar"), it
will add quotes:
# iptables-translate -A FORWARD -p tcp -m tcp --sport http -s 192.168.0.0/16 -d
192.168.0.0/16 -j DROP -m comment --comment singlecomment
nft add rule ip filter FORWARD ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16
tcp sport 80 counter comment \"singlecomment\"drop
Attempting to apply the translated/generated rule will result to:
# nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16
tcp sport 80 counter comment \"foobar\"jump LONGNACCEPT
<cmdline>:1:111-114: Error: syntax error, unexpected jump, expecting end
of
file or newline or semicolon
add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp
sport 80 counter comment "foobar"jump LONGNACCEPT
^^^^
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170113/50c1f0c3/attachment.html>
bugzilla-daemon at netfilter.org
2017-Jan-28 19:49 UTC
[Bug 1112] xtables-compat-multi fails to parse comments
https://bugzilla.netfilter.org/show_bug.cgi?id=1112
Shyam Saini <mayhs11saini at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mayhs11saini at gmail.com
Status|NEW |RESOLVED
Resolution|--- |FIXED
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170128/ce107496/attachment.html>
Possibly Parallel Threads
- [Bug 1742] New: using nfqueue breaks SCTP connection (tracking)
- Custom build kernel patch fails big time.
- [Bug 1397] New: What am I doing wrong!?
- [Bug 1385] New: Incorrectly evaluated expression with negated ip saddr and negated ip daddr
- [ANNOUNCE] nftables 0.9.5 release