xtables-compat: fix ipv4 frag (-f)
iptables-translate -A I -f nft add rule ip filter I ip frag-off != 0 counter iptables however checks: frag_off = ntohs(iph->frag_off) & IP_OFFSET; if (NF_INVF(ipinfo, IPT_INV_FRAG, (ipinfo->flags & IPT_F_FRAG) && !frag_off)) return false; So we need to mask off non-offset bits. Second issue is that we negated the meaning in ipt-restore. -f should match if (frag_off & IP_OFFSET) NE 0 ! -f matches non-fragmented packets, i.e. frag_off & IP_OFFSET == 0. So we cannot use nft_invflags2cmp(), as that will use NEQ for negation, but we need EQ instead here. Signed-off-by: Florian Westphal <>
