Hi Pablo, On Fri, Jul 27, 2018 at 01:43:09PM +0200, Pablo Neira Ayuso wrote: > On Fri, Jul 27, 2018 at 12:22:32AM +0200, Phil Sutter wrote: > > Another fix for ebtables-restore: When encountering a non-standard > > target, command_jump() tries to load it and may retrieve an already > > loaded one taken from xtables_targets. Detect this by checking whether > > option_offset field is non-zero (i.e., merge_options() has already been > > called for it) and don't allocate per-target data (which would leak > > memory) or merge options again (which would break rule parsing > > afterwards). > > > > Signed-off-by: Phil Sutter <phil@xxxxxx> > > --- > > iptables/xtables-eb.c | 5 +++++ > > 1 file changed, 5 insertions(+) > > > > diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c > > index 644bc63a747c6..06ca5daa20541 100644 > > --- a/iptables/xtables-eb.c > > +++ b/iptables/xtables-eb.c > > @@ -392,6 +392,11 @@ static struct xtables_target *command_jump(struct iptables_command_state *cs, > > if (!target) > > return NULL; > > > > + /* avoid allocating data and merging options if target was > > + * already loaded (i.e. returned from xtables_targets list) */ > > + if (target->option_offset) > > + return target; > > Hm, I overlook this: command_jump() in iptables/xtables.c doesn't need > this, why do we need it here? I think the core reason is that for ebtables, targets/matches are loaded at once and not on demand since ebtables does not support '-m' parameter. Without above change, the extra call to merge_options() messes up ebtables_globals.opts. In do_parse() (used by iptables), the equivalent xtables_globals.opts is reset before calling getopt_long(). If I do the same in ebtables, parsing matches fails. Probably because match options are not contained in ebtables_globals.opts anymore. So far I haven't found an alternative way to solve this (or align it better with iptables code. Cheers, Phil -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
