nft: use payload matching for layer 4 protocol

This is an IPv4 header, which does not require the special handling as in IPv6, use the payload matching instead of meta l4proto which is slightly faster in this case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2023-06-09 12:30:30 +0200
committer: Phil Sutter <phil@nwl.cc> 2023-06-16 13:37:16 +0200
commit: 69278f9602b43df80821c55c21c0666f5c6f7e2f (patch)
tree: 2f513de9156cc4dd01b74d53847678d90ab62354 /iptables/nft-ipv4.c
parent: 3513f2dd8b9c101dcecee6145a7eac62297ca1c8 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index d67d8198..2a5d25d8 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -61,7 +61,8 @@ static int nft_ipv4_add(struct nft_handle *h, struct nftnl_rule *r,
 
 	if (cs->fw.ip.proto != 0) {
 		op = nft_invflags2cmp(cs->fw.ip.invflags, XT_INV_PROTO);
-		add_l4proto(h, r, cs->fw.ip.proto, op);
+		add_proto(h, r, offsetof(struct iphdr, protocol),
+			  sizeof(uint8_t), cs->fw.ip.proto, op);
 	}
 
 	if (cs->fw.ip.flags & IPT_F_FRAG) {
author	Pablo Neira Ayuso <pablo@netfilter.org>	2023-06-09 12:30:30 +0200
committer	Phil Sutter <phil@nwl.cc>	2023-06-16 13:37:16 +0200
commit	69278f9602b43df80821c55c21c0666f5c6f7e2f (patch)
tree	2f513de9156cc4dd01b74d53847678d90ab62354 /iptables/nft-ipv4.c
parent	3513f2dd8b9c101dcecee6145a7eac62297ca1c8 (diff)