ip6tables-save LOG target output is different to iptables-save

ip6tables-save LOG target output is different to iptables-save

[Scott Baillie]

Hi All,

I am using  ip6tables-save  version  v1.4.14 and have noticed
that the output of the LOG target is different to the output from
iptables-save  version  v1.4.14.

I am sorry but I have not checked to see if this problem has been
fixed with later versions so this problem may already be fixed
but here is the output from the LOG target in my version :


Output from ip6tables-save has quotes
------------------------------
-A INPUT -j LOG --log-prefix "prefix1"


Output from iptables-save does not have quotes
------------------------------------------------
-A INPUT -j LOG --log-prefix prefix1


Regards,

Scott.

Re: ip6tables-save LOG target output is different to iptables-save

[Phil Oester]

On Sat, Jul 06, 2013 at 01:42:00PM +1000, Scott Baillie wrote:
> Hi All,
> 
> I am using  ip6tables-save  version  v1.4.14 and have noticed
> that the output of the LOG target is different to the output from
> iptables-save  version  v1.4.14.

Yes, quotes are not included if there is no whitespace, but it is
quoted if whitespace is present:

-A INPUT -s 1.2.3.4/32 -j LOG --log-prefix "foo doo"
-A INPUT -s 1.2.3.4/32 -j LOG --log-prefix foo

Is this an issue?

Phil

Re: ip6tables-save LOG target output is different to iptables-save

[Scott Baillie]

Hi Phil,

It is not a huge issue, it is just inconsistent.

ip6tables-save will always quote the prefix string and iptables-save
will sometimes quote the prefix string.

It just makes it a little bit harder to parse the output , because
both tools should produce the same output
wherever possible in my opinion.

Regards,

Scott.

On Sat, Jul 6, 2013 at 2:41 PM, Phil Oester <kernel@linuxace.com> wrote:
> On Sat, Jul 06, 2013 at 01:42:00PM +1000, Scott Baillie wrote:
>> Hi All,
>>
>> I am using  ip6tables-save  version  v1.4.14 and have noticed
>> that the output of the LOG target is different to the output from
>> iptables-save  version  v1.4.14.
>
> Yes, quotes are not included if there is no whitespace, but it is
> quoted if whitespace is present:
>
> -A INPUT -s 1.2.3.4/32 -j LOG --log-prefix "foo doo"
> -A INPUT -s 1.2.3.4/32 -j LOG --log-prefix foo
>
> Is this an issue?
>
> Phil

Re: ip6tables-save LOG target output is different to iptables-save

[Phil Oester]

[-- Attachment #1: Type: text/plain, Size: 534 bytes --]

On Sat, Jul 06, 2013 at 03:07:15PM +1000, Scott Baillie wrote:
> It just makes it a little bit harder to parse the output , because
> both tools should produce the same output
> wherever possible in my opinion.

Agreed.  Patch follows which makes the two tools consistent, however
they will now both not quote the prefix if only one word is present.

libipt_LOG is using the xtables_save_string func, which escapes unsafe
characters as needed.  libip6t_LOG should do the same.

Phil

Signed-off-by: Phil Oester <kernel@linuxace.com>


[-- Attachment #2: patch-ip6ts-log --]
[-- Type: text/plain, Size: 640 bytes --]

diff --git a/extensions/libip6t_LOG.c b/extensions/libip6t_LOG.c
index 2b1ae28..4639268 100644
--- a/extensions/libip6t_LOG.c
+++ b/extensions/libip6t_LOG.c
@@ -146,8 +146,10 @@ static void LOG_save(const void *ip, const struct xt_entry_target *target)
 	const struct ip6t_log_info *loginfo
 		= (const struct ip6t_log_info *)target->data;
 
-	if (strcmp(loginfo->prefix, "") != 0)
-		printf(" --log-prefix \"%s\"", loginfo->prefix);
+	if (strcmp(loginfo->prefix, "") != 0) {
+		printf(" --log-prefix");
+		xtables_save_string(loginfo->prefix);
+	}
 
 	if (loginfo->level != LOG_DEFAULT_LEVEL)
 		printf(" --log-level %d", loginfo->level);

Re: ip6tables-save LOG target output is different to iptables-save

[Pablo Neira Ayuso]

On Sat, Jul 06, 2013 at 08:56:01AM -0700, Phil Oester wrote:
> On Sat, Jul 06, 2013 at 03:07:15PM +1000, Scott Baillie wrote:
> > It just makes it a little bit harder to parse the output , because
> > both tools should produce the same output
> > wherever possible in my opinion.
> 
> Agreed.  Patch follows which makes the two tools consistent, however
> they will now both not quote the prefix if only one word is present.
> 
> libipt_LOG is using the xtables_save_string func, which escapes unsafe
> characters as needed.  libip6t_LOG should do the same.

Applied, thanks Phil.