commit 32474c134556731553c3985bb315ec0ee5f83c99 Author: Thomas Woerner Date: Mon Sep 5 15:58:43 2016 +0200 firewall.core.{ipXtables,ebtables}: Copy rule before extracting items in set_rules In set_rules, the rules are grouped by table to be able to create the iptables-save format without changing the table serveral times. For this the table is extracted from the rule and therefore also removed from the rule. But this is not done on a copy of the rule, but the internal rule. This results in remogin the table information from the rule completely, which is an issue if the rule can not be applied in the transaction and the generous_mode is used to be able to assign the rules one by one. This is the case for rules saved in direct.xml. Fixes issue #152 diff --git a/src/firewall/core/ebtables.py b/src/firewall/core/ebtables.py index cbb1895..a9b044a 100644 --- a/src/firewall/core/ebtables.py +++ b/src/firewall/core/ebtables.py @@ -117,15 +117,18 @@ class ebtables(object): table = "filter" table_rules = { } - for rule in rules: - try: - i = rule.index("-t") - except Exception: - pass - else: - if len(rule) >= i+1: - rule.pop(i) - table = rule.pop(i) + for _rule in rules: + rule = _rule[:] + # get table form rule + for opt in [ "-t", "--table" ]: + try: + i = rule.index(opt) + except ValueError: + pass + else: + if len(rule) >= i+1: + rule.pop(i) + table = rule.pop(i) # we can not use joinArgs here, because it would use "'" instead # of '"' for the start and end of the string, this breaks diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py index a3ba443..c6d7a1f 100644 --- a/src/firewall/core/ipXtables.py +++ b/src/firewall/core/ipXtables.py @@ -203,7 +203,8 @@ class ip4tables(object): temp_file = tempFile() table_rules = { } - for rule in rules: + for _rule in rules: + rule = _rule[:] table = "filter" # get table form rule for opt in [ "-t", "--table" ]: