From 681935f6cb5734e120b5efe5aa8512508e2793f4 Mon Sep 17 00:00:00 2001
From: Sriram Rajagopalan <bglsriram@gmail.com>
Date: Wed, 13 Mar 2024 02:04:37 -0700
Subject: nft: Do not combine inverted payload matches

Fixed the issue with combining the payload in case of invert filter for
tcp src and dst ports.

Signed-off-by: Sriram Rajagopalan <sriramr@arista.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/nft.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

(limited to 'iptables/nft.c')

diff --git a/iptables/nft.c b/iptables/nft.c
index ee63c3dc..884cc77e 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1307,14 +1307,12 @@ static int add_nft_tcpudp(struct nft_handle *h,struct nftnl_rule *r,
 	uint8_t reg;
 	int ret;
 
-	if (src[0] && src[0] == src[1] &&
+	if (!invert_src &&
+	    src[0] && src[0] == src[1] &&
 	    dst[0] && dst[0] == dst[1] &&
 	    invert_src == invert_dst) {
 		uint32_t combined = dst[0] | (src[0] << 16);
 
-		if (invert_src)
-			op = NFT_CMP_NEQ;
-
 		expr = gen_payload(h, NFT_PAYLOAD_TRANSPORT_HEADER, 0, 4, &reg);
 		if (!expr)
 			return -ENOMEM;
-- 
cgit v1.2.3