Bug 1655128

Summary: commandline options handling flaws
Product: Red Hat Enterprise Linux 8 Reporter: Jiri Peska <jpeska>
Component: iptablesAssignee: Phil Sutter <psutter>
Status: CLOSED NOTABUG QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: aloughla, atragler, iptables-maint-list, jpeska, kvolny, psutter, todoleza
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1465078 Environment:
Last Closed: 2018-12-04 16:44:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1465078    
Bug Blocks: 1472751    

Comment 1 Jiri Peska 2018-11-30 17:20:30 UTC 
Description of problem:
When trying the new -W option, I have found some flaws handling the commandline.

Version-Release number of selected component (if applicable):
iptables-1.4.21-18.el7

How reproducible:
always

Steps to Reproduce:
1. iptables-restore -W
2. iptables-restore -W 0
3. iptables-restore --nonsense

Actual results:
1. # iptables-restore -W
dsfds
iptables-restore: line 1 failed

2. # iptables-restore -W 0
dssf
iptables-restore: line 1 failed

3. # iptables-restore --nonsense
iptables-restore: unrecognized option '--nonsense'
dsdsf
iptables-restore: line 1 failed

Expected results:
1. an error about missing value should be reported, program should exit without processing input

2. from man - "This option only works with -w." - so an error about missing "-w" should be reported and the program should exit without processing input

Plus I am not sure what sense makes setting this to 0, probably it should be rejected?

3. similar as above, the program should exit without processing input
Comment 2 Phil Sutter 2018-12-03 10:31:32 UTC 
Hi,

(In reply to Jiri Peska from comment #1)
> Description of problem:
> When trying the new -W option, I have found some flaws handling the
> commandline.
> 
> Version-Release number of selected component (if applicable):
> iptables-1.4.21-18.el7
> 
> How reproducible:
> always
> 
> Steps to Reproduce:
> 1. iptables-restore -W
> 2. iptables-restore -W 0
> 3. iptables-restore --nonsense
> 
> Actual results:
> 1. # iptables-restore -W
> dsfds
> iptables-restore: line 1 failed
> 
> 2. # iptables-restore -W 0
> dssf
> iptables-restore: line 1 failed
> 
> 3. # iptables-restore --nonsense
> iptables-restore: unrecognized option '--nonsense'
> dsdsf
> iptables-restore: line 1 failed
> 
> Expected results:
> 1. an error about missing value should be reported, program should exit
> without processing input
> 
> 2. from man - "This option only works with -w." - so an error about missing
> "-w" should be reported and the program should exit without processing input
> 
> Plus I am not sure what sense makes setting this to 0, probably it should be
> rejected?

In RHEL8, these options are simply ignored by iptables-restore as locking is not needed anymore with nftables backend. They are accepted just to stay compatible with how iptables-restore may be invoked. Therefore I don't see any sense in adding code for validation.

> 3. similar as above, the program should exit without processing input

I can't reproduce this on RHEL8 with package iptables-1.8.0-8.el8.x86_64. Could you please verify this is a valid complaint?

Thanks, Phil