If the protocol module has already been loaded (find_proto() is succesfull) would but has not yet been activated for this command (proto_used is not yet set), we have to activate the protocol specific match for this command. Without the modification iptables-restore will fail if an implicitly loaded protocol match is used for the second time. ... -A somechain -p udp --dport 500 -j ACCEPT -A somechain -p udp --dport 4500 -j ACCEPT ... will fail for the "4500" line with '--dport" being an unknown option. Signed-off-by: Lutz Jaenicke <ljaenicke@xxxxxxxxxxxxxx> --- xshared.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/xshared.c b/xshared.c index 404a9f5..87402b4 100644 --- a/xshared.c +++ b/xshared.c @@ -92,7 +92,7 @@ static bool should_load_proto(struct iptables_command_state *cs) if (find_proto(cs->protocol, XTF_DONT_LOAD, cs->options & OPT_NUMERIC, NULL) == NULL) return true; - return cs->proto_used; + return !cs->proto_used; } struct xtables_match *load_proto(struct iptables_command_state *cs) -- 1.7.2.5 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
