Bug 1465078 - commandline options handling flaws
commandline options handling flaws
Status: ON_QA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: iptables (Show other bugs)
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Phil Sutter
Tomas Dolezal
Depends On:
Blocks: 1472751
  Show dependency treegraph
Reported: 2017-06-26 11:33 EDT by Karel Volný
Modified: 2018-06-15 08:15 EDT (History)
4 users (show)

See Also:
Fixed In Version: iptables-1.4.21-27.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Karel Volný 2017-06-26 11:33:13 EDT
Description of problem:
When trying the new -W option, I have found some flaws handling the commandline.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. iptables-restore -W
2. iptables-restore -W 0
3. iptables-restore --nonsense

Actual results:
1. # iptables-restore -W
iptables-restore: line 1 failed

2. # iptables-restore -W 0
iptables-restore: line 1 failed

3. # iptables-restore --nonsense
iptables-restore: unrecognized option '--nonsense'
iptables-restore: line 1 failed

Expected results:
1. an error about missing value should be reported, program should exit without processing input

2. from man - "This option only works with -w." - so an error about missing "-w" should be reported and the program should exit without processing input

Plus I am not sure what sense makes setting this to 0, probably it should be rejected?

3. similar as above, the program should exit without processing input

While such behaviour isn't explicitly defined in manpage, it is a good practice not to continue processing when the options are wrong. Imagine e.g. if someone would like to use '--test' but made a typo, so that the option would be unrecognized and the undesired action performed ...
Comment 3 Phil Sutter 2017-09-20 13:41:06 EDT
Ignoring unknown parameters has been fixed by following upstream commit:

commit d89dc47ab3875f6fe6679cebceccd2000bf81b8e
Author: Vincent Bernat <vincent@bernat.im>
Date:   Sat Apr 15 12:16:47 2017 +0200

    iptables-restore/save: exit when given an unknown option
    When an unknown option is given, iptables-restore should exit instead of
    continue its operation. For example, if `--table` was misspelled, this
    could lead to an unwanted change. Moreover, exit with a status code of
    1. Make the same change for iptables-save.
    OTOH, exit with a status code of 0 when requesting help.
    Signed-off-by: Vincent Bernat <vincent@bernat.im>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Patches fixing the parsing issues of wait-interval option have been sent upstream: https://marc.info/?l=netfilter-devel&m=150592888910234&w=2

I decided to not forbid '-W 0' since it is not invalid per se - if specified, xtables_lock() routine will busy loop until the lock could be acquired.
Comment 4 Phil Sutter 2017-10-06 11:40:17 EDT
Upstream accepted my patches:

commit 60e0ffd365a2d936b3df13c1289b2ef57b756d92
Author: Phil Sutter <phil@nwl.cc>
Date:   Wed Sep 20 19:34:35 2017 +0200

    ip{,6}tables-restore: Don't ignore missing wait-interval value
    Passing -W without a value doesn't make sense so bail out if none was
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

commit 21ba5b3874fb3d0c4cccc9b59f65c8df575211e2
Author: Phil Sutter <phil@nwl.cc>
Date:   Wed Sep 20 19:34:36 2017 +0200

    ip{,6}tables-restore: Don't accept wait-interval without wait
    If -W <val> was given, error out if -w wasn't since that doesn't make
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Note You need to log in before you can comment on or make changes to this bug.