nft-shared: skip check for jumpto if cs->target is unset

The command_jump() function leaves cs->target unset if the target is not
found. Let's check if the jumpto string mismatches only in this case.

https://bugzilla.netfilter.org/show_bug.cgi?id=1422
Tested-by: Etienne Champetier <etienne.champetier@anevia.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libxt_NOTRACK.t b/extensions/libxt_NOTRACK.t
index 585be82d56ecbe59c97c44c53ec7be6655026455..27c4734ff497e94052aa834e84c36501627bb438 100644 (file)
--- a/extensions/libxt_NOTRACK.t
+++ b/extensions/libxt_NOTRACK.t
@@ -1,4 +1,3 @@
 :PREROUTING,OUTPUT
 *raw
-# ERROR: cannot find: iptables -I PREROUTING -t raw -j NOTRACK
-#-j NOTRACK;=;OK
+-j NOTRACK;=;OK

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 426765641cff679b71c5d014a963eb93bb1e5a18..5192e36358b7cb3ed60e6032217ce5e4df550e37 100644 (file)
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -1013,7 +1013,8 @@ bool nft_ipv46_rule_find(struct nft_handle *h, struct nftnl_rule *r, void *data)
                goto out;
        }
 
-       if (strcmp(cs->jumpto, this.jumpto) != 0) {
+       if ((!cs->target || !this.target) &&
+           strcmp(cs->jumpto, this.jumpto) != 0) {
                DEBUGP("Different verdict\n");
                goto out;
        }