From: Daniel Wagner <daniel.wag...@bmw-carit.de>
The linked list is tracking all loading modules. Since we do not
unload once they are loaded (xtables does not support this), we
might up leaving prepare_matches() before we update the
option table. Since we carefully reset the global xtable state
after executing one rule, this check is wrong, e.g. if we add
to similar rules (same matches (mark, nfacct)). In this case
the second rule would not be parsed correctly. Nasty nasty iptables parser!
---
src/iptables.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/src/iptables.c b/src/iptables.c
index d133127..135577a 100644
--- a/src/iptables.c
+++ b/src/iptables.c
@@ -1600,9 +1600,6 @@ static struct xtables_match *prepare_matches(struct
connman_iptables *table,
if (xt_m->init != NULL)
xt_m->init(xt_m->m);
- if (xt_m == xt_m->next)
- goto done;
-
#if XTABLES_VERSION_CODE > 5
if (xt_m->x6_options != NULL)
iptables_globals.opts =
@@ -1627,7 +1624,6 @@ static struct xtables_match *prepare_matches(struct
connman_iptables *table,
xt_m = NULL;
}
-done:
return xt_m;
}
--
1.8.1.3.566.gaa39828
_______________________________________________
connman mailing list
connman@connman.net
http://lists.connman.net/listinfo/connman
