nft: pass ipt_entry to ->save_firewall hook

The extension needs the ipt_entry not to crash. Since cs->fw
actually points to an union that also contains cs->fw6, just
pass cs->fw to make it work.

This fixes:

-A INPUT -p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 25cb1772b5ea009b86c9a4ae72e7a9a53ec7e5e3..ebcb9692e6501aecc12481d6c862ae53af2d3224 100644 (file)
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -633,14 +633,14 @@ void print_matches_and_target(struct iptables_command_state *cs,
 
        for (matchp = cs->matches; matchp; matchp = matchp->next) {
                if (matchp->match->print != NULL) {
-                       matchp->match->print(NULL, matchp->match->m,
+                       matchp->match->print(&cs->fw, matchp->match->m,
                                             format & FMT_NUMERIC);
                }
        }
 
        if (cs->target != NULL) {
                if (cs->target->print != NULL) {
-                       cs->target->print(NULL, cs->target->t,
+                       cs->target->print(&cs->fw, cs->target->t,
                                          format & FMT_NUMERIC);
                }
        }

diff --git a/iptables/nft.c b/iptables/nft.c
index 50e756bec962ac1ff4531ffb4c13c4a2ce0db958..01e026404a8d68feda24711d118ce91d3357f844 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1040,8 +1040,10 @@ nft_rule_print_save(const struct iptables_command_state *cs,
                } else
                        printf("-m %s", matchp->match->name);
 
-               if (matchp->match->save != NULL)
-                       matchp->match->save(NULL, matchp->match->m);
+               if (matchp->match->save != NULL) {
+                       /* cs->fw union makes the trick */
+                       matchp->match->save(&cs->fw, matchp->match->m);
+               }
                printf(" ");
        }
 
@@ -1052,7 +1054,7 @@ nft_rule_print_save(const struct iptables_command_state *cs,
                        printf("-j %s", cs->jumpto);
 
                if (cs->target->save != NULL)
-                       cs->target->save(NULL, cs->target->t);
+                       cs->target->save(&cs->fw, cs->target->t);
        } else if (strlen(cs->jumpto) > 0)
                printf("-%c %s", ip_flags & IPT_F_GOTO ? 'g' : 'j',
                                                                cs->jumpto);