• ballock's avatar
    [firewall] Fix iptables validator bugs. JB#48869 · 74c8d4d1
    ballock authored
    clean_match_option
    ------------------
    
    This example rule would fail, while being correct:
    -p tcp -m tcp ! --tcp-option 1 -m tcp ! --tcp-option 2 -j ACCEPT
    
    The reason is that tcp match has AF_UNSPEC instead of the particular
    AF_INET/AF_INET6 protocol specified in its requirements.
    
    Although it's possible to add a more complicated check (first to see,
    if the match's family_dep is not UNSPEC, then if it equals the family,
    but there's no need to since we only execute cleanup when the match
    was already in the invoked_matches list, and it could have been there
    only if it meets the conditions of the match.
    
    Ergo: this check is unnecessary and harmful.
    
    is_valid_port_or_service_range
    ------------------------------
    
    tokens[i] will only be false at the end of the vector, not when the
    string is empty. Thus, this check does what the g_strv_length does.
    
    handle_ports
    ------------
    
    It turned out that the function allows to use an empty
    string ('') as a correct value, which should not be allowed.
    
    Since like with the previous function, we can either use tokens[i] to
    indicate vector end or g_strv_length. However, since we need to verify
    that the split vector is empty, this form was chosen.
    74c8d4d1
Name
Last commit
Last update
connman Loading commit data...
rpm Loading commit data...
upstream @ 57a31db5 Loading commit data...
.gitmodules Loading commit data...