diff options
author | Phil Sutter <phil@nwl.cc> | 2018-08-09 18:06:56 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2018-08-09 21:54:17 +0200 |
commit | 9ca32c40ed4f0648893989c1e5d03e9fecc501ae (patch) | |
tree | d7c284ad9cc1c35821e8d23468b79670dacc59d2 /iptables/nft-ipv4.c | |
parent | e055aebe63c5d12be8e58e1dc5a5a018c3adf2ac (diff) |
xtables: Don't pass full invflags to add_compat()
The function expects a boolean, not a bitfield. This bug caused
inversion in another match to carry over to protocol match by accident.
The supplied testcase contains rules which then fail because they
contain matches requiring that protocol.
Fixes: 4ef77b6d1b52e ("xtables: fix missing protocol and invflags")
Fixes: 4143a08819a07 ("ebtables-compat: add nft rule compat information to bridge rules")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables/nft-ipv4.c')
-rw-r--r-- | iptables/nft-ipv4.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index eaf861d1..4f31a516 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -75,7 +75,7 @@ static int nft_ipv4_add(struct nftnl_rule *r, void *data) add_cmp_u16(r, 0, op); } - add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags); + add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags & XT_INV_PROTO); for (matchp = cs->matches; matchp; matchp = matchp->next) { /* Use nft built-in comments support instead of comment match */ |