From 5b36b6fa581ca958340ab8d40be646cae249eee4 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 23 Oct 2019 12:07:39 +0200
Subject: [PATCH 2/2] xtables-restore: Unbreak *tables-restore

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1749700
Upstream Status: iptables commit 4e470fa347610
Conflicts: Downstream does not support nft-variants.

commit 4e470fa34761085144640fb561a9ad26b2cde382
Author: Phil Sutter <phil@nwl.cc>
Date:   Tue Oct 22 12:25:28 2019 +0200

    xtables-restore: Unbreak *tables-restore

    Commit 3dc433b55bbfa ("xtables-restore: Fix --table parameter check")
    installed an error check which evaluated true in all cases as all
    callers of do_command callbacks pass a pointer to a table name already.
    Attached test case passed as it tested error condition only.

    Fix the whole mess by introducing a boolean to indicate whether a table
    parameter was seen already. Extend the test case to cover positive as
    well as negative behaviour and to test ebtables-restore and
    ip6tables-restore as well. Also add the required checking code to the
    latter since the original commit missed it.

    Fixes: 3dc433b55bbfa ("xtables-restore: Fix --table parameter check")
    Signed-off-by: Phil Sutter <phil@nwl.cc>
    Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Phil Sutter <psutter@redhat.com>
---
 iptables/ip6tables.c | 6 ++++++
 iptables/iptables.c  | 4 +++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index fc2fd37cfe919..42edf7a55ec6e 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -1316,6 +1316,7 @@ int do_command6(int argc, char *argv[], char **table,
 	struct xtables_rule_match *matchp;
 	struct xtables_target *t;
 	unsigned long long cnt;
+	bool table_set = false;
 
 	memset(&cs, 0, sizeof(cs));
 	cs.jumpto = "";
@@ -1598,7 +1599,12 @@ int do_command6(int argc, char *argv[], char **table,
 			if (cs.invert)
 				xtables_error(PARAMETER_PROBLEM,
 					   "unexpected ! flag before --table");
+			if (restore && table_set)
+				xtables_error(PARAMETER_PROBLEM,
+					      "The -t option (seen in line %u) cannot be used in %s.\n",
+					      line, xt_params->program_name);
 			*table = optarg;
+			table_set = true;
 			break;
 
 		case 'x':
diff --git a/iptables/iptables.c b/iptables/iptables.c
index d106a18949407..0ad87fd98684d 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -1312,6 +1312,7 @@ int do_command4(int argc, char *argv[], char **table,
 	struct xtables_rule_match *matchp;
 	struct xtables_target *t;
 	unsigned long long cnt;
+	bool table_set = false;
 
 	memset(&cs, 0, sizeof(cs));
 	cs.jumpto = "";
@@ -1591,11 +1592,12 @@ int do_command4(int argc, char *argv[], char **table,
 			if (cs.invert)
 				xtables_error(PARAMETER_PROBLEM,
 					   "unexpected ! flag before --table");
-			if (restore && *table)
+			if (restore && table_set)
 				xtables_error(PARAMETER_PROBLEM,
 					      "The -t option (seen in line %u) cannot be used in %s.\n",
 					      line, xt_params->program_name);
 			*table = optarg;
+			table_set = true;
 			break;
 
 		case 'x':
-- 
2.23.0