From 780607f8b040a47cd2d4775376e2d30f567dc049 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@medozas.de>
Date: Tue, 7 Jun 2011 22:20:13 +0200
Subject: option: fix ignored negation before implicit extension loading

`iptables -A INPUT -p tcp ! --syn` forgot the negation, i.e. it
was not present in a subsequent `iptables -S`.

Commit v1.4.11~77^2~9 missed the fact that after autoloading a proto
extension, cs.invert must not be touched until the next getopt call.
This is now fixed by having command_default return a value to indicate
whether to jump or not.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 iptables/ip6tables.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'iptables/ip6tables.c')

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 4df73b8d..4037acfb 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -1716,7 +1716,13 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 			exit_tryhelp(2);
 
 		default:
-			command_default(&cs, &ip6tables_globals);
+			if (command_default(&cs, &ip6tables_globals) == 1)
+				/*
+				 * If new options were loaded, we must retry
+				 * getopt immediately and not allow
+				 * cs.invert=FALSE to be executed.
+				 */
+				continue;
 			break;
 		}
 		cs.invert = FALSE;
-- 
cgit v1.2.3