Package: iptables
Version: 1.3.6.0debian1-5
Severity: important
Recently I updated some of my firewall rules. One of the specifications were
like the following:
/sbin/iptables -A INPUT -s 62.65.107.157 -j DROP
Since I had a series of such modifications, I decided to align them nicely
and so I used three characters for each octet. So I changed the above line
into:
/sbin/iptables -A INPUT -s 062.065.107.157 -j DROP
To my amazement this showed up in `iptables -nL' as:
DROP tcp -- 50.53.107.157 0.0.0.0/0
Looking at the sources, iptables.c defines in line 276 the function
struct in_addr *
dotted_to_addr(const char *dotted)
which eventually calls (line 991)
int
string_to_number_ll(const char *s, unsigned long long min, unsigned long
long max,
unsigned long long *ret)
which uses strtoull(s, &end, 0) to convert each part of the dotted decimal
specification into a binary value. However, if strtoul's 3rd parameter
(`base') is initialized to the value 0 strtoul will automatically convert
values starting at 0 to octal values.
I think using strtoull(s, &end, 0) to convert dotted decimal addresses is
confusing. At least it took me some time to find out what happened, especially
since iptable's man page does not mention the word `octal' and the provided
howtos in iptables-1.3.6.0debian1/howtos only once mention `octal' in
`netfilter-hacking-HOWTO.sgml':
<tag>string_to_number()</tag> converts a string into a number in the
given range, returning -1 if it is malformed or out of range.
`string_to_number' rely on `strtol' (see the manpage), meaning
that a leading "0x" would make the number be in Hexadecimal base, a leading
"0" would make it be in Octal base.
Also, none of the files in /usr/share/doc/iptables contains the word `octal',
so I wouldn't be amazed to find that many iptables specfications might be
converted to different addresses than intended (that's why I rated this
bug-report as `important').
My suggestion would be to either update the manpage (and other documentation?)
alerting iptables's users to the fact that octal conversions may be expected,
or change the dotted_to_addr function (assuming this function is used to parse
a specification like `-A INPUT -s 62.65.107.157 -j DROP') in such a way that
it doesn't use octal conversions anymore.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.21.1 (SMP w/1 CPU core; PREEMPT)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages iptables depends on:
ii libc6 2.6-2 GNU C Library: Shared libraries
ii libselinux1 2.0.15-2+b1 SELinux shared libraries
iptables recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
