diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-03-24 13:15:23 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-12-30 23:50:28 +0100 |
| commit | 4ef77b6d1b52e1fe52a7fd48d38d9233f0961640 (patch) | |
| tree | 08fa0bf0917dcb00a9665dc25c5162599815ce2a | |
| parent | 98ffe9f8a5aa730fed0a5b2f2ac337ca2511700e (diff) | |
xtables: fix missing protocol and invflags
xtables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables: Target problem. Run `dmesg' for more information
x_tables: ip_tables: tcp match: only valid for protocol
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | iptables/nft-ipv4.c | 2 | ||||
| -rw-r--r-- | iptables/nft-ipv6.c | 2 | ||||
| -rw-r--r-- | iptables/nft-shared.h | 1 | ||||
| -rw-r--r-- | iptables/nft.c | 2 |
4 files changed, 6 insertions, 1 deletions
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index ac2b27b8..0a601243 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -60,6 +60,8 @@ static int nft_ipv4_add(struct nft_rule *r, struct iptables_command_state *cs) add_cmp_u16(r, 0, op); } + add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags); + return cs->fw.ip.flags; } diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index a2e80306..65a89490 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -42,6 +42,8 @@ static int nft_ipv6_add(struct nft_rule *r, struct iptables_command_state *cs) add_proto(r, offsetof(struct ip6_hdr, ip6_nxt), 1, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags); + add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags); + return cs->fw6.ipv6.flags; } diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index f55d6f68..b301d411 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -63,6 +63,7 @@ void add_addr(struct nft_rule *r, int offset, void *data, size_t len, int invflags); void add_proto(struct nft_rule *r, int offset, size_t len, uint32_t proto, int invflags); +void add_compat(struct nft_rule *r, uint32_t proto, bool inv); bool is_same_interfaces(const char *a_iniface, const char *a_outiface, unsigned const char *a_iniface_mask, diff --git a/iptables/nft.c b/iptables/nft.c index f39f4071..e55c18c1 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -664,7 +664,7 @@ static void add_counters(struct nft_rule *r, uint64_t packets, uint64_t bytes) nft_rule_add_expr(r, expr); } -static void add_compat(struct nft_rule *r, uint32_t proto, bool inv) +void add_compat(struct nft_rule *r, uint32_t proto, bool inv) { nft_rule_attr_set_u32(r, NFT_RULE_ATTR_COMPAT_PROTO, proto); nft_rule_attr_set_u32(r, NFT_RULE_ATTR_COMPAT_FLAGS, |