From eb4b65c49994e44e6ad617fe3f60c063d0c331c4 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 20 Aug 2013 20:24:26 +0200 Subject: nft: fix wrong flags handling in print_firewall_details Unfortunately, IPT_F_* and IP6T_F_* don't overlap, therefore, we have to add an specific function to print the fragment flag, otherwise xtables -6 misinterprets the protocol flag, ie. Chain INPUT (policy ACCEPT) tcp -f ::/0 ::/0 Note that -f should not show up. This problem was likely added with the IPv6 support for the compatibility layer. Signed-off-by: Pablo Neira Ayuso --- iptables/nft-ipv6.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'iptables/nft-ipv6.c') diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 91ef255c..9bb57981 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -161,9 +161,9 @@ static void nft_ipv6_print_firewall(struct nft_rule *r, unsigned int num, print_firewall_details(&cs, cs.jumpto, cs.fw6.ipv6.flags, cs.fw6.ipv6.invflags, cs.fw6.ipv6.proto, - cs.fw6.ipv6.iniface, cs.fw6.ipv6.outiface, num, format); - + print_ifaces(cs.fw6.ipv6.iniface, cs.fw6.ipv6.outiface, + cs.fw6.ipv6.invflags, format); print_ipv6_addr(&cs, format); if (format & FMT_NOTABLE) -- cgit v1.2.3