path: root/iptables/nft-shared.h
diff options
authorPablo Neira Ayuso <>2013-08-20 20:24:26 +0200
committerPablo Neira Ayuso <>2013-12-30 23:50:44 +0100
commiteb4b65c49994e44e6ad617fe3f60c063d0c331c4 (patch)
tree178a99c4a55c746d4badbaf93df35a43f500dd52 /iptables/nft-shared.h
parentcdc78b1d6bd7b48ec05d78fc6e6cd98473f40357 (diff)
nft: fix wrong flags handling in print_firewall_details
Unfortunately, IPT_F_* and IP6T_F_* don't overlap, therefore, we have to add an specific function to print the fragment flag, otherwise xtables -6 misinterprets the protocol flag, ie. Chain INPUT (policy ACCEPT) tcp -f ::/0 ::/0 Note that -f should not show up. This problem was likely added with the IPv6 support for the compatibility layer. Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'iptables/nft-shared.h')
1 files changed, 2 insertions, 1 deletions
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index e77b303d..6e45538c 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -90,8 +90,9 @@ void print_num(uint64_t number, unsigned int format);
void print_firewall_details(const struct iptables_command_state *cs,
const char *targname, uint8_t flags,
uint8_t invflags, uint8_t proto,
- const char *iniface, const char *outiface,
unsigned int num, unsigned int format);
+void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags,
+ unsigned int format);
void print_matches_and_target(struct iptables_command_state *cs,
unsigned int format);
void save_firewall_details(const struct iptables_command_state *cs,