0xFF is unlikely to happen (given that ALL translates to 0x3F at most), but assuming that through magic, 0xFF was put into memory, iptables -S/iptables-save would ignore printing it, practically outputting just one argument to --tcp-flags which currently wants two. Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxx> --- extensions/libxt_tcp.c | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) diff --git a/extensions/libxt_tcp.c b/extensions/libxt_tcp.c index 3940d91..e849fa2 100644 --- a/extensions/libxt_tcp.c +++ b/extensions/libxt_tcp.c @@ -357,9 +357,7 @@ static void tcp_save(const void *ip, const struct xt_entry_match *match) if (tcpinfo->invflags & XT_TCP_INV_FLAGS) printf(" !"); printf(" --tcp-flags "); - if (tcpinfo->flg_mask != 0xFF) { - print_tcpf(tcpinfo->flg_mask); - } + print_tcpf(tcpinfo->flg_mask); printf(" "); print_tcpf(tcpinfo->flg_cmp); } -- 1.7.3.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html