diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-02-19 00:15:13 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-02-22 19:59:45 +0100 |
commit | 6c8db125b258da070313f20cdf9bc4124bba5383 (patch) | |
tree | 9657a507f1616c0da51683ecc5b9e759ae88a5a7 /iptables/nft-shared.c | |
parent | 0e067c7142c73404eb9ba6e355a28a92bf493675 (diff) |
iptables-compat: unset context flags in netlink delinearize step
Once the data that the compare expression provides have been digested.
For example:
-A INPUT -i noexist -p udplite -s 10.10.10.10/32 -d 10.0.0.10/32 -j ACCEPT
doesn't show anymore the following broken output via iptables-compat-save:
-A INPUT -i
+t -p udplite -s 10.10.10.10/32 -d 10.0.0.10/32 -j ACCEPT
Reported-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Diffstat (limited to 'iptables/nft-shared.c')
-rw-r--r-- | iptables/nft-shared.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 620da3e7..1182f560 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -434,11 +434,15 @@ void nft_parse_cmp(struct nft_xt_ctx *ctx, struct nft_rule_expr *e) if (ctx->reg && reg != ctx->reg) return; - if (ctx->flags & NFT_XT_CTX_META) + if (ctx->flags & NFT_XT_CTX_META) { ops->parse_meta(ctx, e, data); + ctx->flags &= ~NFT_XT_CTX_META; + } /* bitwise context is interpreted from payload */ - if (ctx->flags & NFT_XT_CTX_PAYLOAD) + if (ctx->flags & NFT_XT_CTX_PAYLOAD) { ops->parse_payload(ctx, e, data); + ctx->flags &= ~NFT_XT_CTX_PAYLOAD; + } } void nft_parse_counter(struct nft_rule_expr *e, struct xt_counters *counters) |