The command_jump() function leaves cs->target as NULL if the target is not found. Check if the cs->jumpto string mismatches only in this case. https://bugzilla.netfilter.org/show_bug.cgi?id=1422 Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- extensions/libxt_NOTRACK.t | 3 +-- iptables/nft-shared.c | 3 ++- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/extensions/libxt_NOTRACK.t b/extensions/libxt_NOTRACK.t index 585be82d56ec..27c4734ff497 100644 --- a/extensions/libxt_NOTRACK.t +++ b/extensions/libxt_NOTRACK.t @@ -1,4 +1,3 @@ :PREROUTING,OUTPUT *raw -# ERROR: cannot find: iptables -I PREROUTING -t raw -j NOTRACK -#-j NOTRACK;=;OK +-j NOTRACK;=;OK diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 426765641cff..5192e36358b7 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -1013,7 +1013,8 @@ bool nft_ipv46_rule_find(struct nft_handle *h, struct nftnl_rule *r, void *data) goto out; } - if (strcmp(cs->jumpto, this.jumpto) != 0) { + if ((!cs->target || !this.target) && + strcmp(cs->jumpto, this.jumpto) != 0) { DEBUGP("Different verdict\n"); goto out; } -- 2.11.0
