diff options
| -rwxr-xr-x | iptables/tests/shell/testcases/ipt-restore/0005-ipt-6_0 | 26 | ||||
| -rwxr-xr-x | iptables/tests/shell/testcases/ipt-restore/0006-ip6t-4_0 | 26 | ||||
| -rw-r--r-- | iptables/xtables.c | 9 |
3 files changed, 61 insertions, 0 deletions
diff --git a/iptables/tests/shell/testcases/ipt-restore/0005-ipt-6_0 b/iptables/tests/shell/testcases/ipt-restore/0005-ipt-6_0 new file mode 100755 index 00000000..dd069771 --- /dev/null +++ b/iptables/tests/shell/testcases/ipt-restore/0005-ipt-6_0 @@ -0,0 +1,26 @@ +#!/bin/bash + +# Make sure iptables-restore simply ignores +# rules starting with -6 + +set -e + +# show rules, drop uninteresting policy settings +ipt_show() { + $XT_MULTI iptables -S | grep -v '^-P' +} + +# issue reproducer for iptables-restore + +$XT_MULTI iptables-restore <<EOF +*filter +-A FORWARD -m comment --comment any -j ACCEPT +-4 -A FORWARD -m comment --comment ipv4 -j ACCEPT +-6 -A FORWARD -m comment --comment ipv6 -j ACCEPT +COMMIT +EOF + +EXPECT='-A FORWARD -m comment --comment any -j ACCEPT +-A FORWARD -m comment --comment ipv4 -j ACCEPT' + +diff -u -Z <(echo -e "$EXPECT") <(ipt_show) diff --git a/iptables/tests/shell/testcases/ipt-restore/0006-ip6t-4_0 b/iptables/tests/shell/testcases/ipt-restore/0006-ip6t-4_0 new file mode 100755 index 00000000..a37253a9 --- /dev/null +++ b/iptables/tests/shell/testcases/ipt-restore/0006-ip6t-4_0 @@ -0,0 +1,26 @@ +#!/bin/bash + +# Make sure ip6tables-restore simply ignores +# rules starting with -4 + +set -e + +# show rules, drop uninteresting policy settings +ipt_show() { + $XT_MULTI ip6tables -S | grep -v '^-P' +} + +# issue reproducer for ip6tables-restore + +$XT_MULTI ip6tables-restore <<EOF +*filter +-A FORWARD -m comment --comment any -j ACCEPT +-4 -A FORWARD -m comment --comment ipv4 -j ACCEPT +-6 -A FORWARD -m comment --comment ipv6 -j ACCEPT +COMMIT +EOF + +EXPECT='-A FORWARD -m comment --comment any -j ACCEPT +-A FORWARD -m comment --comment ipv6 -j ACCEPT' + +diff -u -Z <(echo -e "$EXPECT") <(ipt_show) diff --git a/iptables/xtables.c b/iptables/xtables.c index 93d9dcba..0e0cb5f5 100644 --- a/iptables/xtables.c +++ b/iptables/xtables.c @@ -955,6 +955,9 @@ void do_parse(struct nft_handle *h, int argc, char *argv[], break; case '4': + if (p->restore && args->family == AF_INET6) + return; + if (args->family != AF_INET) exit_tryhelp(2); @@ -962,6 +965,9 @@ void do_parse(struct nft_handle *h, int argc, char *argv[], break; case '6': + if (p->restore && args->family == AF_INET) + return; + args->family = AF_INET6; xtables_set_nfproto(AF_INET6); @@ -1174,6 +1180,9 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, case CMD_SET_POLICY: ret = nft_chain_set(h, p.table, p.chain, p.policy, NULL); break; + case CMD_NONE: + /* do_parse ignored the line (eg: -4 with ip6tables-restore) */ + break; default: /* We should never reach this... */ exit_tryhelp(2); |