path: root/iptables/nft-bridge.c
diff options
authorPhil Sutter <>2018-08-09 18:06:56 +0200
committerFlorian Westphal <>2018-08-09 21:54:17 +0200
commit9ca32c40ed4f0648893989c1e5d03e9fecc501ae (patch)
treed7c284ad9cc1c35821e8d23468b79670dacc59d2 /iptables/nft-bridge.c
parente055aebe63c5d12be8e58e1dc5a5a018c3adf2ac (diff)
xtables: Don't pass full invflags to add_compat()
The function expects a boolean, not a bitfield. This bug caused inversion in another match to carry over to protocol match by accident. The supplied testcase contains rules which then fail because they contain matches requiring that protocol. Fixes: 4ef77b6d1b52e ("xtables: fix missing protocol and invflags") Fixes: 4143a08819a07 ("ebtables-compat: add nft rule compat information to bridge rules") Signed-off-by: Phil Sutter <>
Diffstat (limited to 'iptables/nft-bridge.c')
1 files changed, 1 insertions, 1 deletions
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 386da869..7dcc0c1a 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -222,7 +222,7 @@ static int nft_bridge_add(struct nftnl_rule *r, void *data)
add_cmp_u16(r, fw->ethproto, op);
- add_compat(r, fw->ethproto, fw->invflags);
+ add_compat(r, fw->ethproto, fw->invflags & EBT_IPROTO);
for (iter = cs->match_list; iter; iter = iter->next) {
if (iter->ismatch) {