summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--iptables/nft-bridge.c2
-rw-r--r--iptables/nft-ipv4.c2
-rw-r--r--iptables/nft-ipv6.c2
-rwxr-xr-xiptables/tests/shell/testcases/nft-only/0002invflags_010
4 files changed, 13 insertions, 3 deletions
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 386da869..7dcc0c1a 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -222,7 +222,7 @@ static int nft_bridge_add(struct nftnl_rule *r, void *data)
add_cmp_u16(r, fw->ethproto, op);
}
- add_compat(r, fw->ethproto, fw->invflags);
+ add_compat(r, fw->ethproto, fw->invflags & EBT_IPROTO);
for (iter = cs->match_list; iter; iter = iter->next) {
if (iter->ismatch) {
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index eaf861d1..4f31a516 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -75,7 +75,7 @@ static int nft_ipv4_add(struct nftnl_rule *r, void *data)
add_cmp_u16(r, 0, op);
}
- add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags);
+ add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags & XT_INV_PROTO);
for (matchp = cs->matches; matchp; matchp = matchp->next) {
/* Use nft built-in comments support instead of comment match */
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index fa5b8c89..c651b16d 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -60,7 +60,7 @@ static int nft_ipv6_add(struct nftnl_rule *r, void *data)
&cs->fw6.ipv6.dst, &cs->fw6.ipv6.dmsk,
sizeof(struct in6_addr), op);
}
- add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags);
+ add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags & XT_INV_PROTO);
for (matchp = cs->matches; matchp; matchp = matchp->next) {
/* Use nft built-in comments support instead of comment match */
diff --git a/iptables/tests/shell/testcases/nft-only/0002invflags_0 b/iptables/tests/shell/testcases/nft-only/0002invflags_0
new file mode 100755
index 00000000..406b6081
--- /dev/null
+++ b/iptables/tests/shell/testcases/nft-only/0002invflags_0
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+
+$XT_MULTI iptables -A INPUT -p tcp --dport 53 ! -s 192.168.0.1 -j ACCEPT
+$XT_MULTI ip6tables -A INPUT -p tcp --dport 53 ! -s feed:babe::1 -j ACCEPT
+$XT_MULTI ebtables -A INPUT -p IPv4 --ip-src 10.0.0.1 ! -i lo -j ACCEPT
+