Phil Sutter <phil@xxxxxx> wrote: > When comparing two rules with non-standard targets, differences in > targets' payloads wasn't respected. > > The cause is a rather hideous one: Unlike xtables_find_match(), > xtables_find_target() did not care whether the found target was already > in use or not, so the same target instance was assigned to both rules > and therefore payload comparison happened over the same memory location. > > With legacy iptables it is not possible to reuse a target: The only case > where two rules (i.e., iptables_command_state instances) could exist at > the same time is when comparing rules, but that's handled using libiptc. This causes: extensions/libebt_ip.t: ERROR: line 2 (cannot delete: ebtables -I INPUT -p ip --ip-src ! 192.168.0.0/24 -j ACCEPT) (and similar errors). I've applied patch 1.
