From eb4b65c49994e44e6ad617fe3f60c063d0c331c4 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 20 Aug 2013 20:24:26 +0200
Subject: nft: fix wrong flags handling in print_firewall_details

Unfortunately, IPT_F_* and IP6T_F_* don't overlap, therefore, we have
to add an specific function to print the fragment flag, otherwise
xtables -6 misinterprets the protocol flag, ie.

Chain INPUT (policy ACCEPT)
           tcp  -f  ::/0                 ::/0

Note that -f should not show up. This problem was likely added with
the IPv6 support for the compatibility layer.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 iptables/nft-shared.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'iptables/nft-shared.h')

diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index e77b303d..6e45538c 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -90,8 +90,9 @@ void print_num(uint64_t number, unsigned int format);
 void print_firewall_details(const struct iptables_command_state *cs,
 			    const char *targname, uint8_t flags,
 			    uint8_t invflags, uint8_t proto,
-			    const char *iniface, const char *outiface,
 			    unsigned int num, unsigned int format);
+void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags,
+		  unsigned int format);
 void print_matches_and_target(struct iptables_command_state *cs,
 			      unsigned int format);
 void save_firewall_details(const struct iptables_command_state *cs,
-- 
cgit v1.2.3