Re: Bug#150467: user-defined chains vs. iptables module names

Fri, 21 Jun 2002 04:46:01 -0700 

On Fri, 21 Jun 2002, Patrick Schaaf wrote:

> > What about simply returning by an error code if there is an attempt to
> > create a chain wich clashes with a target name?
>
> Wasn't there recent discussion about "how do I find all available
> target names"? But I agree in principle, that would be the least
> intrusive shorttime "rationalization" of the now-very-order-dependant
> behaviour.

Here is the patch according to my proposal:

--- iptables.c.orig     Fri Jun 21 13:39:55 2002
+++ iptables.c  Fri Jun 21 13:44:09 2002
@@ -1159,9 +1159,6 @@
        u_int8_t flags;
        char buf[BUFSIZ];

-       /* User creates a chain called "REJECT": this overrides the
-          `REJECT' target module.  Keep feeding them rope until the
-          revolution... Bwahahahahah */
        if (!iptc_is_chain(targname, handle))
                target = find_target(targname, TRY_LOAD);
        else
@@ -1760,6 +1757,10 @@
                                exit_error(PARAMETER_PROBLEM,
                                           "chain name not allowed to start "
                                           "with `-'\n");
+                       if (find_target(optarg, TRY_LOAD))
+                               exit_error(PARAMETER_PROBLEM,
+                                          "chain name may not clash "
+                                          "with target name\n");
                        add_command(&command, CMD_NEW_CHAIN, CMD_NONE,
                                    invert);
                        chain = optarg;
--- ip6tables.c.orig    Fri Jun 21 13:44:22 2002
+++ ip6tables.c Fri Jun 21 13:45:51 2002
@@ -1161,9 +1161,6 @@
        u_int8_t flags;
        char buf[BUFSIZ];

-       /* User creates a chain called "REJECT": this overrides the
-          `REJECT' target module.  Keep feeding them rope until the
-          revolution... Bwahahahahah */
        if (!ip6tc_is_chain(targname, handle))
                target = find_target(targname, TRY_LOAD);
        else
@@ -1797,6 +1794,14 @@
                        break;

                case 'N':
+                       if (optarg && *optarg == '-')
+                               exit_error(PARAMETER_PROBLEM,
+                                          "chain name not allowed to start "
+                                          "with `-'\n");
+                       if (find_target(optarg, TRY_LOAD))
+                               exit_error(PARAMETER_PROBLEM,
+                                          "chain name may not clash "
+                                          "with target name\n");
                        add_command(&command, CMD_NEW_CHAIN, CMD_NONE,
                                    invert);
                        chain = optarg;


I believe this is the simplest approach - all other solutions require
changes both in the user interface and the kernel structures.

Regards,
Jozsef
-
E-mail  : [EMAIL PROTECTED], [EMAIL PROTECTED]
WWW-Home: http://www.kfki.hu/~kadlec
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Reply via email to