see #2653 Importer for iptables checks that netfilter table used in

the original iptables config is one of the tables we support. Currently only "filter", "mangle" and "nat" are supported. Also see #2651, #2652
2026-05-01 22:57:33 +02:00 · 2011-09-04 20:29:02 -07:00 · 2011-09-04 20:29:02 -07:00 · 2a74bc273d
commit 2a74bc273d
parent d45002faf9
5 changed files with 42 additions and 5 deletions
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,5 +1,11 @@
 2011-09-04  Vadim Kurland  <vadim@netcitadel.com>

+	* IPTImporter.cpp (IPTImporter::isSupportedTable): see #2653
+	Importer for iptables checks that netfilter table used in
+	the original iptables config is one of the tables we support.
+	Currently only "filter", "mangle" and "nat" are supported. Also
+	see #2651, #2652
+
 	* FWObjectDatabase_tree_ops.cpp (_recursively_copy_subtree): see
 	#2654 fixes GUI crash that occured if user copied a rule from file
 	A to file B, then closed file B, opened file C and tried to copy
--- a/src/import/IPTImporter.cpp
+++ b/src/import/IPTImporter.cpp
@ -145,6 +145,25 @@ void IPTImporter::clear()
    iprange_dst_to = "";
 }

+void IPTImporter::registerTable(const string &table_name)
+{
+    current_table = table_name;
+
+    if ( ! isSupportedTable(table_name))
+    {
+        QString err = QObject::tr(
+            "Unrecognized netfilter table \"%1\". "
+            "Only tables \"filter\", \"mangle\" and \"nat\" are supported.")
+            .arg(QString::fromUtf8(table_name.c_str()));
+        reportError(err);
+    }
+}
+
+bool IPTImporter::isSupportedTable(const string &table_name)
+{
+    return (table_name == "nat" || table_name == "filter" || table_name == "mangle");
+}
+
 string IPTImporter::getBranchName(const std::string &suffix)
 {
    ostringstream str;
@ -1187,6 +1206,16 @@ void IPTImporter::pushPolicyRule()
            current_rule, QString::fromUtf8(rule_comment.c_str()));
    }

+    if ( ! isSupportedTable(current_table))
+    {
+        QString err = QObject::tr(
+            "Rule can not be imported correctly because "
+            "original configuration uses "
+            "unrecognized netfilter table \"%1\". ")
+            .arg(QString::fromUtf8(current_table.c_str()));
+        reportError(err);
+    }
+
    if (error_tracker->hasWarnings())
    {
        QStringList warn = error_tracker->getWarnings();
@ -1691,9 +1720,7 @@ UnidirectionalRuleSet* IPTImporter::getUnidirRuleSet(
                        ruleset->setName("Mangle");
                        getFirewallObject()->add(ruleset);
                    }
-                } 
-
-                if (current_table == "filter")
+                } else
                {
                    for (list<FWObject*>::iterator it=policies.begin();
                         it!=policies.end(); ++it)
--- a/src/import/IPTImporter.h
+++ b/src/import/IPTImporter.h
@ -175,6 +175,10 @@ class IPTImporter : public Importer
    virtual libfwbuilder::Firewall* finalize();

    bool isStandardChain(const std::string &ipt_chain);
+
+    void registerTable(const std::string &table_name);
+
+    bool isSupportedTable(const std::string &table_name);
 };

 #endif
--- a/src/parsers/IPTCfgParser.cpp
+++ b/src/parsers/IPTCfgParser.cpp
@ -193,7 +193,7 @@ void IPTCfgParser::start_table() {
 			// clear current table
 			importer->current_table = "";
 			}
-			importer->current_table = LT(0)->getText();
+			importer->registerTable(LT(0)->getText());
 			*dbg << "TABLE " << LT(0)->getText() << std::endl;
 			
 #line 200 "IPTCfgParser.cpp"
--- a/src/parsers/iptables.g
+++ b/src/parsers/iptables.g
@ -195,7 +195,7 @@ start_table : STAR WORD
                // clear current table
                importer->current_table = "";
            }
-            importer->current_table = LT(0)->getText();
+            importer->registerTable(LT(0)->getText());
            *dbg << "TABLE " << LT(0)->getText() << std::endl;
        }
    ;