else, next payload is stacked via 'CTX_PREV_PAYLOAD'.
Example breakage:
ip saddr 1.2.3.4 meta l4proto tcp
... is dumped as
-s 6.0.0.0 -p tcp
iptables-nft -s 1.2.3.4 -p tcp is dumped correctly, because
the expressions are ordered like:
meta l4proto tcp ip saddr 1.2.3.4
... and 'meta l4proto' will clear the PAYLOAD flag.
Fixes: 250dce876d92 ("nft-shared: support native tcp port delinearize")
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
iptables/nft-shared.c | 2 ++
.../ipt-restore/0018-multi-payload_0 | 27 +++++++++++++++++++
2 files changed, 29 insertions(+)
create mode 100755 iptables/tests/shell/testcases/ipt-restore/0018-multi-payload_0
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 71e2f18dab92..66e09e8fd533 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -986,6 +986,8 @@ static void nft_parse_cmp(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
nft_parse_transport(ctx, e, ctx->cs);
break;
}
+
+ ctx->flags &= ~NFT_XT_CTX_PAYLOAD;
}
}
diff --git a/iptables/tests/shell/testcases/ipt-restore/0018-multi-payload_0 b/iptables/tests/shell/testcases/ipt-restore/0018-multi-payload_0
new file mode 100755
index 000000000000..f27577540d6e
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-restore/0018-multi-payload_0
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Make sure iptables-restore simply ignores
+# rules starting with -6
+
+set -e
+
+# show rules, drop uninteresting policy settings
+ipt_show() {
+ $XT_MULTI iptables-save | grep -- '-A INPUT'
+}
+
+# issue reproducer for iptables-restore
+
+$XT_MULTI iptables-restore <<EOF
+*filter
+-A INPUT -s 1.2.3.0/25 -p udp
+-A INPUT -s 1.2.3.0/26 -d 5.6.7.8/32
+-A INPUT -s 1.2.3.0/27 -d 10.2.0.0/16 -p tcp -j ACCEPT
+COMMIT
+EOF
+
+EXPECT='-A INPUT -s 1.2.3.0/25 -p udp
+-A INPUT -s 1.2.3.0/26 -d 5.6.7.8/32
+-A INPUT -s 1.2.3.0/27 -d 10.2.0.0/16 -p tcp -j ACCEPT'
+
+diff -u -Z <(echo -e "$EXPECT") <(ipt_show)
--
2.35.1
