path: root/iptables/xtables-eb.c
diff options
authorFlorian Westphal <>2018-11-02 14:36:54 +0100
committerFlorian Westphal <>2018-11-03 20:35:22 +0100
commitfd95f1f0223f8e2ecf91aa8d1a4ba84576861082 (patch)
tree3f3d5eccdd114000afa0a81de80dd2a492286cda /iptables/xtables-eb.c
parentfb747f8ae01bdcbb197f5f9fc1085416ad636d38 (diff)
ebtables: fix -j CONTINUE handling for add/delete
-j CONTINUE can be added, but it can't be removed: extensions/libebt_standard.t: ERROR: line 5 (cannot find: ebtables -I INPUT -d de:ad:be:ef:00:00 -j CONTINUE) This problem stems from silly ambiguity in ebtables-nft vs. iptables. In iptables, you can do iptables -A INPUT (no -j) in ebtables, you can do either ebtables -A INPUT or ebtables -A INPUT -j CONTINUE both are *supposed* to be the same (and they do the same even in ebtables-nft on netlink side). However, the temprary binary representation within ebtables-nft is not the same: when parsing -j CONTINUE, we add a standard target, then omit it later in _add_target(). When translating netlink representation to ebt binary one, we do not add a standard target and instead just print '-j CONTINUE' when listing rules. So when doing -I INPUT -j CONTINUE -D INPUT -j CONTINUE the -D operation fails because it has a standard target in the binary representation, whereas the rule we obtained from translating nftables netlink back to ebtables' binary represenation doesn't. Fix it by ignoring 'CONTINUE' on parser side. Signed-off-by: Florian Westphal <>
Diffstat (limited to 'iptables/xtables-eb.c')
1 files changed, 5 insertions, 2 deletions
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 64f332c1..721bab57 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -824,6 +824,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table,
struct xtables_target *t;
struct iptables_command_state cs = {
.argv = argv,
+ .jumpto = "",
.eb.bitmask = EBT_NOPROTO,
char command = 'h';
@@ -1066,8 +1067,10 @@ print_zero:
} else if (c == 'j') {
ebt_check_option2(&flags, OPT_JUMP);
- cs.jumpto = parse_target(optarg);
- = ebt_command_jump(cs.jumpto);
+ if (strcmp(optarg, "CONTINUE") != 0) {
+ cs.jumpto = parse_target(optarg);
+ = ebt_command_jump(cs.jumpto);
+ }
} else if (c == 's') {
ebt_check_option2(&flags, OPT_SOURCE);