[BUG] Prepending iptables path to list of args in runWithOutput makes some methods fail unexpectedly

[gianni4sec]

Description of the issue

It seems like in the function runWithOutput the iptables path is erroneously prepended to the list of args, resulting in some methods failing unexpectedly, as in the example below. I've only tested Exists so far. The solution is to simply remove the prepended iptables path, everything seems to work correctly this way.

go-iptables/iptables/iptables.go

Lines 521 to 522 in fa6abe8

	func (ipt *IPTables) runWithOutput(args []string, stdout io.Writer) error {
	args = append([]string{ipt.path}, args...)

Then further down in the same function:

go-iptables/iptables/iptables.go

Lines 544 to 549 in fa6abe8

	cmd := exec.Cmd{
	Path: ipt.path,
	Args: args,
	Stdout: stdout,
	Stderr: &stderr,
	}

How to reproduce

Example:

package main

import (
	"bytes"
	"fmt"
	"os/exec"

	"github.com/coreos/go-iptables/iptables"
)

func main() {
	const setName = "some-unexisting-set"
	const filterTableName = "filter"

	ipv4, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
	if err != nil {
		panic(err)
	}

	fmt.Println("Using go-iptables:")
	_, err = ipv4.Exists(filterTableName, "INPUT", "-m set --match-set", setName, "src", "-j DROP")
	if err != nil {
		fmt.Println(err)
	}
	fmt.Println()
	fmt.Println("Using exec.Command without repetition:")
	var stdout, stderr bytes.Buffer
	cmd := exec.Command("/usr/sbin/iptables", "-t", filterTableName, "-C", "INPUT", "-m", "set", "--match-set", setName, "src", "-j", "DROP", "--wait")
	cmd.Stdout = &stdout
	cmd.Stderr = &stderr
	if err := cmd.Run(); err != nil {
		fmt.Printf("running %v: exit status %v: %v", append([]string{"/usr/sbin/iptables"}, cmd.Args...), cmd.ProcessState.ExitCode(), stderr.String())
	}
}

Output:

Using go-iptables:
cmd /usr/sbin/iptables [/usr/sbin/iptables -t filter -C INPUT -m set --match-set some-unexisting-set src -j DROP --wait]
running [/usr/sbin/iptables -t filter -C INPUT -m set --match-set some-unexisting-set src -j DROP --wait]: exit status 2: iptables v1.8.4 (legacy): Couldn't load match ` set --match-set':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.


Using exec.Command without repetition:
running [/usr/sbin/iptables /usr/sbin/iptables -t filter -C INPUT -m set --match-set some-unexisting-set src -j DROP --wait]: exit status 2: iptables v1.8.4 (legacy): Set some-unexisting-set doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.

Please note "Couldn't load match ` set --match-set':No such file or directory" vs "Set some-unexisting-set doesn't exist." in the error.

[bgilbert]

Argument 0 to any Unix process is the name of the program being executed, but the kernel does not handle that automatically. So it's correct and conventional that we're specifying the program name twice: once as the file to be executed, and once as its argument 0.

The actual problem is that in the good case, you're specifying -m set --match-set as three different arguments, but in the bad case you're incorrectly specifying -m set --match-set as a single argument. This is indicated in the error message you received. (You're also doing the same with -j DROP.)

[gianni4sec]

Thanks for spotting this! Indeed that is the problem.