ebtables-compat: fix segfault in rules w/o target

This patch fixes a segfault in rules without target.

Now, these two rules are allowed:

% ebtables-compat -A FORWARD -p 0x0600 -j CONTINUE
% ebtables-compat -A FORWARD -p 0x0600

And both are printed:

Bridge chain: FORWARD, entries: 1, policy: ACCEPT
-p 0x600 -j CONTINUE

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 90bcd63df51dc0ad81346b323723b52d00ac7297..fd9554eb2c69ff9ac02ed21ca0bb75d7b027f7a2 100644 (file)
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -114,6 +114,9 @@ static int _add_action(struct nft_rule *r, struct ebtables_command_state *cs)
 {
        int ret = 0;
 
+       if (cs->jumpto == NULL || strcmp(cs->jumpto, "CONTINUE") == 0)
+               return 0;
+
        /* If no target at all, add nothing (default to continue) */
        if (cs->target != NULL) {
                /* Standard target? */
@@ -452,14 +455,16 @@ static void nft_bridge_print_firewall(struct nft_rule *r, unsigned int num,
        }
 
        printf("-j ");
-       if (!(format & FMT_NOTARGET))
-               printf("%s", cs.jumpto);
-
        if (cs.target != NULL) {
                if (cs.target->print != NULL) {
                        cs.target->print(&cs.fw, cs.target->t,
                                            format & FMT_NUMERIC);
                }
+       } else {
+               if (strcmp(cs.jumpto, "") == 0)
+                       printf("CONTINUE");
+               else
+                       printf("%s", cs.jumpto);
        }
 
        if (!(format & FMT_NOCOUNTS))