nft-compat: fix wrong protocol context in initialization

This fixes matches/targets that are dependent on that IPv4/Ipv6
context, eg.

 # ip6tables-compat -I INPUT -j REJECT --reject-with icmp6-addr-unreachable
 # ip6tables-compat-save
 ...
 -A INPUT -j REJECT --reject-with icmp6-port-unreachable

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
index 93065cfcfeddeaedee8e3e85595133e8439780cb..42d2907165108ec5f8ad772a7b968625c449424b 100644 (file)
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -85,8 +85,7 @@ xtables_save_main(int family, const char *progname, int argc, char *argv[])
        int c;
 
        xtables_globals.program_name = progname;
-       /* XXX xtables_init_all does several things we don't want */
-       c = xtables_init_all(&xtables_globals, NFPROTO_IPV4);
+       c = xtables_init_all(&xtables_globals, family);
        if (c < 0) {
                fprintf(stderr, "%s/%s Failed to initialize xtables\n",
                                xtables_globals.program_name,

diff --git a/iptables/xtables.c b/iptables/xtables.c
index 7a8ace3deb566cecee4d6c3919e1cb3288e1db89..45a5ac631bfd32214404e8513956e98ff4dd7075 100644 (file)
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -691,7 +691,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
        struct xtables_rule_match *matchp;
        struct xtables_target *t;
        struct xtables_args args = {
-               .family = AF_INET,
+               .family = h->family,
        };
 
        memset(&cs, 0, sizeof(cs));
@@ -716,8 +716,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
           demand-load a protocol. */
        opterr = 0;
 
-       /* Default on AF_INET */
-       h->ops = nft_family_ops_lookup(AF_INET);
+       h->ops = nft_family_ops_lookup(h->family);
        if (h->ops == NULL)
                xtables_error(PARAMETER_PROBLEM, "Unknown family");