path: root/iptables/xtables.c
diff options
authorAdel Belhouane <>2019-07-26 09:24:37 +0200
committerFlorian Westphal <>2019-07-29 02:34:56 +0200
commitd76475ce1c30f6c3e3f3ca85964bdfc4425acb81 (patch)
treebb4eda4785484cc4be59c16b36fe51d1e91c62ce /iptables/xtables.c
parentb1b24aec274728c5ceb914fc4511828432c3fbed (diff)
restore legacy behaviour of iptables-restore when rules start with -4/-6
v2: moved examples to testcase files Legacy implementation of iptables-restore / ip6tables-restore allowed to insert a -4 or -6 option at start of a rule line to ignore it if not matching the command's protocol. This allowed to mix specific ipv4 and ipv6 rules in a single file, as still described in iptables 1.8.3's man page in options -4 and -6. The implementation over nftables doesn't behave correctly in this case: iptables-nft-restore accepts both -4 or -6 lines and ip6tables-nft-restore throws an error on -4. There's a distribution bug report mentioning this problem: Restore the legacy behaviour: - let do_parse() return and thus not add a command in those restore special cases - let do_commandx() ignore CMD_NONE instead of bailing out I didn't attempt to fix all minor anomalies, but just to fix the regression. For example in the line below, iptables should throw an error instead of accepting -6 and then adding it as ipv4: % iptables-nft -6 -A INPUT -p tcp -j ACCEPT Signed-off-by: Adel Belhouane <> Signed-off-by: Florian Westphal <>
Diffstat (limited to 'iptables/xtables.c')
1 files changed, 9 insertions, 0 deletions
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 93d9dcba..0e0cb5f5 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -955,6 +955,9 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
case '4':
+ if (p->restore && args->family == AF_INET6)
+ return;
if (args->family != AF_INET)
@@ -962,6 +965,9 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
case '6':
+ if (p->restore && args->family == AF_INET)
+ return;
args->family = AF_INET6;
@@ -1174,6 +1180,9 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
ret = nft_chain_set(h, p.table, p.chain, p.policy, NULL);
+ case CMD_NONE:
+ /* do_parse ignored the line (eg: -4 with ip6tables-restore) */
+ break;
/* We should never reach this... */