commit 32474c134556731553c3985bb315ec0ee5f83c99
Author: Thomas Woerner <twoerner@redhat.com>
Date: Mon Sep 5 15:58:43 2016 +0200
firewall.core.{ipXtables,ebtables}: Copy rule before extracting items in set_rules
In set_rules, the rules are grouped by table to be able to create the
iptables-save format without changing the table serveral times.
For this the table is extracted from the rule and therefore also removed from
the rule. But this is not done on a copy of the rule, but the internal rule.
This results in remogin the table information from the rule completely, which
is an issue if the rule can not be applied in the transaction and the
generous_mode is used to be able to assign the rules one by one. This is the
case for rules saved in direct.xml.
Fixes issue #152
diff --git a/src/firewall/core/ebtables.py b/src/firewall/core/ebtables.py
index cbb1895..a9b044a 100644
--- a/src/firewall/core/ebtables.py
+++ b/src/firewall/core/ebtables.py
@@ -117,15 +117,18 @@ class ebtables(object):
table = "filter"
table_rules = { }
- for rule in rules:
- try:
- i = rule.index("-t")
- except Exception:
- pass
- else:
- if len(rule) >= i+1:
- rule.pop(i)
- table = rule.pop(i)
+ for _rule in rules:
+ rule = _rule[:]
+ # get table form rule
+ for opt in [ "-t", "--table" ]:
+ try:
+ i = rule.index(opt)
+ except ValueError:
+ pass
+ else:
+ if len(rule) >= i+1:
+ rule.pop(i)
+ table = rule.pop(i)
# we can not use joinArgs here, because it would use "'" instead
# of '"' for the start and end of the string, this breaks
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index a3ba443..c6d7a1f 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -203,7 +203,8 @@ class ip4tables(object):
temp_file = tempFile()
table_rules = { }
- for rule in rules:
+ for _rule in rules:
+ rule = _rule[:]
table = "filter"
# get table form rule
for opt in [ "-t", "--table" ]: