path: root/iptables/tests/shell/testcases/ipt-restore/0005-ipt-6_0
diff options
authorAdel Belhouane <>2019-07-26 09:24:37 +0200
committerFlorian Westphal <>2019-07-29 02:34:56 +0200
commitd76475ce1c30f6c3e3f3ca85964bdfc4425acb81 (patch)
treebb4eda4785484cc4be59c16b36fe51d1e91c62ce /iptables/tests/shell/testcases/ipt-restore/0005-ipt-6_0
parentb1b24aec274728c5ceb914fc4511828432c3fbed (diff)
restore legacy behaviour of iptables-restore when rules start with -4/-6
v2: moved examples to testcase files Legacy implementation of iptables-restore / ip6tables-restore allowed to insert a -4 or -6 option at start of a rule line to ignore it if not matching the command's protocol. This allowed to mix specific ipv4 and ipv6 rules in a single file, as still described in iptables 1.8.3's man page in options -4 and -6. The implementation over nftables doesn't behave correctly in this case: iptables-nft-restore accepts both -4 or -6 lines and ip6tables-nft-restore throws an error on -4. There's a distribution bug report mentioning this problem: Restore the legacy behaviour: - let do_parse() return and thus not add a command in those restore special cases - let do_commandx() ignore CMD_NONE instead of bailing out I didn't attempt to fix all minor anomalies, but just to fix the regression. For example in the line below, iptables should throw an error instead of accepting -6 and then adding it as ipv4: % iptables-nft -6 -A INPUT -p tcp -j ACCEPT Signed-off-by: Adel Belhouane <> Signed-off-by: Florian Westphal <>
Diffstat (limited to 'iptables/tests/shell/testcases/ipt-restore/0005-ipt-6_0')
1 files changed, 26 insertions, 0 deletions
diff --git a/iptables/tests/shell/testcases/ipt-restore/0005-ipt-6_0 b/iptables/tests/shell/testcases/ipt-restore/0005-ipt-6_0
new file mode 100755
index 00000000..dd069771
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-restore/0005-ipt-6_0
@@ -0,0 +1,26 @@
+# Make sure iptables-restore simply ignores
+# rules starting with -6
+set -e
+# show rules, drop uninteresting policy settings
+ipt_show() {
+ $XT_MULTI iptables -S | grep -v '^-P'
+# issue reproducer for iptables-restore
+$XT_MULTI iptables-restore <<EOF
+-A FORWARD -m comment --comment any -j ACCEPT
+-4 -A FORWARD -m comment --comment ipv4 -j ACCEPT
+-6 -A FORWARD -m comment --comment ipv6 -j ACCEPT
+EXPECT='-A FORWARD -m comment --comment any -j ACCEPT
+-A FORWARD -m comment --comment ipv4 -j ACCEPT'
+diff -u -Z <(echo -e "$EXPECT") <(ipt_show)