diff options
author | Florian Westphal <fw@strlen.de> | 2018-05-05 10:38:38 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2018-05-05 20:02:59 +0200 |
commit | de874054ec26a78ce83ccf13c449a4d3c4a5778e (patch) | |
tree | b1ebd85faa9429715f995a1abcc383d4f6ed3154 /extensions/libipt_LOG.c | |
parent | c7b2fd6f8ee50c0f3be02102fe47b50c65e9e57a (diff) |
xtables-compat: fix ipv4 frag (-f)
iptables-translate -A I -f
nft add rule ip filter I ip frag-off != 0 counter
iptables however checks:
frag_off = ntohs(iph->frag_off) & IP_OFFSET;
if (NF_INVF(ipinfo, IPT_INV_FRAG,
(ipinfo->flags & IPT_F_FRAG) && !frag_off))
return false;
So we need to mask off non-offset bits.
Second issue is that we negated the meaning in ipt-restore.
-f should match if (frag_off & IP_OFFSET) NE 0
! -f matches non-fragmented packets, i.e.
frag_off & IP_OFFSET == 0.
So we cannot use nft_invflags2cmp(), as that will use
NEQ for negation, but we need EQ instead here.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'extensions/libipt_LOG.c')
0 files changed, 0 insertions, 0 deletions