From 267a26363826553280a5928043df30a07cdc63bb Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 3 Feb 2023 20:08:09 +0100
Subject: ebtables: ip and ip6 matches depend on protocol match

This is consistent with legacy ebtables, also avoids invalid
combinations like '-p IPv6 --ip-source 1.2.3.4'.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/nft-bridge.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'iptables')

diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 83cbe315..b9983b20 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -104,11 +104,18 @@ static int
 nft_bridge_add_match(struct nft_handle *h, const struct ebt_entry *fw,
 		     struct nftnl_rule *r, struct xt_entry_match *m)
 {
-	if (!strcmp(m->u.user.name, "802_3") &&
-	    !(fw->bitmask & EBT_802_3))
+	if (!strcmp(m->u.user.name, "802_3") && !(fw->bitmask & EBT_802_3))
 		xtables_error(PARAMETER_PROBLEM,
 			      "For 802.3 DSAP/SSAP filtering the protocol must be LENGTH");
 
+	if (!strcmp(m->u.user.name, "ip") && fw->ethproto != htons(ETH_P_IP))
+		xtables_error(PARAMETER_PROBLEM,
+			      "For IP filtering the protocol must be specified as IPv4.");
+
+	if (!strcmp(m->u.user.name, "ip6") && fw->ethproto != htons(ETH_P_IPV6))
+		xtables_error(PARAMETER_PROBLEM,
+			      "For IPv6 filtering the protocol must be specified as IPv6.");
+
 	return add_match(h, r, m);
 }
 
-- 
cgit v1.2.3