path: root/iptables/nft-bridge.h
diff options
authorPhil Sutter <>2018-08-23 17:43:23 +0200
committerPablo Neira Ayuso <>2018-08-24 10:05:51 +0200
commitacde6be32036f36122c31afbfca4828b2790e05d (patch)
tree2faa11f38ecc7b46b7c42f05ca6965ba51abb461 /iptables/nft-bridge.h
parent2c4e4d2a7432d483ac5599a15b36d1dc1edf72df (diff)
ebtables-translate: Fix segfault while parsing extension options
Previous review of match/target lookup did not consider xtables-eb-translate.c which contains the same code. Fix parsing of target/match arguments there as well by introducing ebt_command_default() which consolidates the previously duplicated code. One notable quirk in comparison to the similar xtables code: Since ebtables allows for negations in ugly places (e.g. '--arp-opcode ! 1'), ebt_check_inverse2() has to be called first. Fixes: aa7fb04fcf72c ("ebtables: Review match/target lookup") Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'iptables/nft-bridge.h')
1 files changed, 1 insertions, 0 deletions
diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h
index 8dcb151f..601476dd 100644
--- a/iptables/nft-bridge.h
+++ b/iptables/nft-bridge.h
@@ -120,5 +120,6 @@ void ebt_add_match(struct xtables_match *m,
struct iptables_command_state *cs);
void ebt_add_watcher(struct xtables_target *watcher,
struct iptables_command_state *cs);
+int ebt_command_default(struct iptables_command_state *cs);