From d801b9f3b8161752ea2358a0bfb614603d28a8e5 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sat, 1 Jun 2013 21:14:47 +0200
Subject: xtables: fix -p protocol

The protocol field in both IPv4 and IPv6 headers are 8 bits long,
so we have to compare 8 bits.

Reported-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 iptables/nft-shared.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'iptables/nft-shared.c')

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index c368f40b..c0ee4c8a 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -91,6 +91,11 @@ void add_cmp_ptr(struct nft_rule *r, uint32_t op, void *data, size_t len)
 	nft_rule_add_expr(r, expr);
 }
 
+void add_cmp_u8(struct nft_rule *r, uint8_t val, uint32_t op)
+{
+	add_cmp_ptr(r, op, &val, sizeof(val));
+}
+
 void add_cmp_u16(struct nft_rule *r, uint16_t val, uint32_t op)
 {
 	add_cmp_ptr(r, op, &val, sizeof(val));
@@ -159,7 +164,7 @@ void add_addr(struct nft_rule *r, int offset,
 }
 
 void add_proto(struct nft_rule *r, int offset, size_t len,
-	       uint32_t proto, int invflags)
+	       uint8_t proto, int invflags)
 {
 	uint32_t op;
 
@@ -170,7 +175,7 @@ void add_proto(struct nft_rule *r, int offset, size_t len,
 	else
 		op = NFT_CMP_EQ;
 
-	add_cmp_u32(r, proto, op);
+	add_cmp_u8(r, proto, op);
 }
 
 bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
-- 
cgit v1.2.3