@@ -943,16 +943,16 @@ static void parse_rule_range(struct xt_cmd_parse *p, const char *argv)
#define CMD_IDRAC CMD_INSERT | CMD_DELETE | CMD_REPLACE | \
CMD_APPEND | CMD_CHECK | CMD_CHANGE_COUNTERS
static const unsigned int options_v_commands[NUMBER_OF_OPT] = {
-/*OPT_NUMERIC*/ CMD_LIST,
+/*OPT_NUMERIC*/ CMD_LIST | CMD_ZERO | CMD_ZERO_NUM,
/*OPT_SOURCE*/ CMD_IDRAC,
/*OPT_DESTINATION*/ CMD_IDRAC,
/*OPT_PROTOCOL*/ CMD_IDRAC,
/*OPT_JUMP*/ CMD_IDRAC,
/*OPT_VERBOSE*/ UINT_MAX,
-/*OPT_EXPANDED*/ CMD_LIST,
+/*OPT_EXPANDED*/ CMD_LIST | CMD_ZERO | CMD_ZERO_NUM,
/*OPT_VIANAMEIN*/ CMD_IDRAC,
/*OPT_VIANAMEOUT*/ CMD_IDRAC,
-/*OPT_LINENUMBERS*/ CMD_LIST,
+/*OPT_LINENUMBERS*/ CMD_LIST | CMD_ZERO | CMD_ZERO_NUM,
/*OPT_COUNTERS*/ CMD_INSERT | CMD_REPLACE | CMD_APPEND | CMD_SET_POLICY,
/*OPT_FRAGMENT*/ CMD_IDRAC,
/*OPT_S_MAC*/ CMD_IDRAC,
@@ -963,9 +963,9 @@ static const unsigned int options_v_commands[NUMBER_OF_OPT] = {
/*OPT_P_TYPE*/ CMD_IDRAC,
/*OPT_LOGICALIN*/ CMD_IDRAC,
/*OPT_LOGICALOUT*/ CMD_IDRAC,
-/*OPT_LIST_C*/ CMD_LIST,
-/*OPT_LIST_X*/ CMD_LIST,
-/*OPT_LIST_MAC2*/ CMD_LIST,
+/*OPT_LIST_C*/ CMD_LIST | CMD_ZERO | CMD_ZERO_NUM,
+/*OPT_LIST_X*/ CMD_LIST | CMD_ZERO | CMD_ZERO_NUM,
+/*OPT_LIST_MAC2*/ CMD_LIST | CMD_ZERO | CMD_ZERO_NUM,
};
#undef CMD_IDRAC
With commit 9c09d28102bb4 ("xshared: Simplify generic_opt_check()"), iptables started to reject list-specific options (--numeric, --exact, --line-numbers) if --zero was also specified: The old generic_opt_check() implementation ignored a command's reject of an option if an earlier command (decided by the numeric CMD_* value) had accepted it already. Instead of replicating the old logic and introducing an inner loop over the bits in 'command', simply expand the respective 'options_v_commands' fields. As a side-effect, this will make iptables accept but ignore these list-specific options when only --zero command was specified. Reported-by: Vitaly Kuznetsov <vkuznets@redhat.com> Fixes: 9c09d28102bb4 ("xshared: Simplify generic_opt_check()") Signed-off-by: Phil Sutter <phil@nwl.cc> --- iptables/xshared.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-)