diff options
| author | Arturo Borrero <arturo.borrero.glez@gmail.com> | 2015-01-13 18:36:10 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-01-28 17:23:31 +0100 |
| commit | 457ed5e1231cf433b239fd10ccf3d976805eb4d8 (patch) | |
| tree | 6aee34214c8d97cecdb7273f04e13b6731ad2890 /iptables/nft-bridge.c | |
| parent | 3397fb3be98ff90ff3d6788fe08d81b65d7b027c (diff) | |
ebtables-compat: fix ACCEPT printing by simplifying logic
The commit bc543af ("ebtables-compat: fix segfault in rules w/o target")
doesn't handle all possible cases of target printing, and ACCEPT is left
behind.
BTW, the logic of target (-j XXX) printing is a bit weird. This patch
simplifies it.
I assume:
* cs->jumpto is only filled by nft_immediate.
* cs->target is only filled by nft_target.
So we end with these cases:
* nft_immediate contains a 'standard' target (ACCEPT, DROP, CONTINUE, RETURN, chain)
Then cs->jumpto contains the target already. We have the rule.
* No standard target. If nft_target contains a target, try to load it.
* Neither nft_target nor nft_immediate exist. Then, assume CONTINUE.
The printing path is then straight forward: either cs.jumpto or cs.target
contains the target.
As there isn't support for target extensions yet, there is no way to test the
nft_target (cs.target) path.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/nft-bridge.c')
| -rw-r--r-- | iptables/nft-bridge.c | 27 |
1 files changed, 11 insertions, 16 deletions
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index fd9554eb..9747405e 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -337,12 +337,13 @@ void nft_rule_to_ebtables_command_state(struct nft_rule *r, nft_rule_expr_iter_destroy(iter); - if (cs->target != NULL) - cs->jumpto = cs->target->name; - else if (cs->jumpto != NULL) - cs->target = xtables_find_target(cs->jumpto, XTF_TRY_LOAD); + if (cs->jumpto != NULL) + return; + + if (cs->target != NULL && cs->target->name != NULL) + cs->target = xtables_find_target(cs->target->name, XTF_TRY_LOAD); else - cs->jumpto = ""; + cs->jumpto = "CONTINUE"; } static void print_iface(const char *iface) @@ -455,17 +456,11 @@ static void nft_bridge_print_firewall(struct nft_rule *r, unsigned int num, } printf("-j "); - if (cs.target != NULL) { - if (cs.target->print != NULL) { - cs.target->print(&cs.fw, cs.target->t, - format & FMT_NUMERIC); - } - } else { - if (strcmp(cs.jumpto, "") == 0) - printf("CONTINUE"); - else - printf("%s", cs.jumpto); - } + + if (cs.jumpto != NULL) + printf("%s", cs.jumpto); + else if (cs.target != NULL && cs.target->print != NULL) + cs.target->print(&cs.fw, cs.target->t, format & FMT_NUMERIC); if (!(format & FMT_NOCOUNTS)) printf(" , pcnt = %"PRIu64" -- bcnt = %"PRIu64"", |