From 5ee03e6df41727652e0dc6ffaef8411b8840d812 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Mon, 20 Aug 2018 15:30:03 +0200
Subject: xtables: Use meta l4proto for -p match

Use of payload expression to match against IPv6 nexthdr field does not
work if extension headers are present. A simple example for that is
matching for fragmented icmpv6 traffic. Instead, generate a 'meta
l4proto' expression which works even if extension headers are present.

For consistency, apply the same change to iptables-nft as well.

No adjustment to reverse path required as the needed bits were added by
commit 6ea7579e6fe24 ("nft: decode meta l4proto") already.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 iptables/nft-shared.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'iptables/nft-shared.c')

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index b31234ee..62a57dd5 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -188,6 +188,12 @@ void add_proto(struct nftnl_rule *r, int offset, size_t len,
 	add_cmp_u8(r, proto, op);
 }
 
+void add_l4proto(struct nftnl_rule *r, uint8_t proto, uint32_t op)
+{
+	add_meta(r, NFT_META_L4PROTO);
+	add_cmp_u8(r, proto, op);
+}
+
 bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
 			unsigned const char *a_iniface_mask,
 			unsigned const char *a_outiface_mask,
-- 
cgit v1.2.3