diff options
-rw-r--r-- | iptables/nft-ipv4.c | 8 | ||||
-rw-r--r-- | iptables/nft-ipv6.c | 8 |
2 files changed, 8 insertions, 8 deletions
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 33bc581a..70050ba5 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -37,6 +37,10 @@ static int nft_ipv4_add(struct nft_rule *r, void *data) if (cs->fw.ip.outiface[0] != '\0') add_outiface(r, cs->fw.ip.outiface, cs->fw.ip.invflags); + if (cs->fw.ip.proto != 0) + add_proto(r, offsetof(struct iphdr, protocol), 1, + cs->fw.ip.proto, cs->fw.ip.invflags); + if (cs->fw.ip.src.s_addr != 0) add_addr(r, offsetof(struct iphdr, saddr), &cs->fw.ip.src.s_addr, 4, cs->fw.ip.invflags); @@ -45,10 +49,6 @@ static int nft_ipv4_add(struct nft_rule *r, void *data) add_addr(r, offsetof(struct iphdr, daddr), &cs->fw.ip.dst.s_addr, 4, cs->fw.ip.invflags); - if (cs->fw.ip.proto != 0) - add_proto(r, offsetof(struct iphdr, protocol), 1, - cs->fw.ip.proto, cs->fw.ip.invflags); - if (cs->fw.ip.flags & IPT_F_FRAG) { add_payload(r, offsetof(struct iphdr, frag_off), 2); /* get the 13 bits that contain the fragment offset */ diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 00f1bf8e..52de5b69 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -34,6 +34,10 @@ static int nft_ipv6_add(struct nft_rule *r, void *data) if (cs->fw6.ipv6.outiface[0] != '\0') add_outiface(r, cs->fw6.ipv6.outiface, cs->fw6.ipv6.invflags); + if (cs->fw6.ipv6.proto != 0) + add_proto(r, offsetof(struct ip6_hdr, ip6_nxt), 1, + cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags); + if (!IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.src)) add_addr(r, offsetof(struct ip6_hdr, ip6_src), &cs->fw6.ipv6.src, 16, cs->fw6.ipv6.invflags); @@ -42,10 +46,6 @@ static int nft_ipv6_add(struct nft_rule *r, void *data) add_addr(r, offsetof(struct ip6_hdr, ip6_dst), &cs->fw6.ipv6.dst, 16, cs->fw6.ipv6.invflags); - if (cs->fw6.ipv6.proto != 0) - add_proto(r, offsetof(struct ip6_hdr, ip6_nxt), 1, - cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags); - add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags); for (matchp = cs->matches; matchp; matchp = matchp->next) { |