diff options
author | Phil Sutter <phil@nwl.cc> | 2018-08-31 22:30:58 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2018-09-01 10:12:59 +0200 |
commit | 7df11d1699ceaf4a841a46a42f446aec5593efd3 (patch) | |
tree | 7bec94269b58c7dd2a894b57e5d975a7509bf348 /iptables/nft-ipv6.c | |
parent | b6a06c1a215f867f7eee4a3f2f40ec14028fe186 (diff) |
xtables: Drop use of IP6T_F_PROTO
Setting this bit in cs->fw6.ipv6.flags was done only for rules parsed
from command line, not for those read from kernel. As a result,
appropriate rules could not be deleted. A simple test case is:
| # ip6tables-nft -A INPUT -p tcp -j ACCEPT
| # ip6tables-nft -D INPUT -p tcp -j ACCEPT
| iptables: Bad rule (does a matching rule exist in that chain?).
Since the flag is not used anywhere in xtables-nft, dropping its use fixes
the bug as well as setting it in both cases.
Fixes: 5ee03e6df4172 ("xtables: Use meta l4proto for -p match")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'iptables/nft-ipv6.c')
-rw-r--r-- | iptables/nft-ipv6.c | 4 |
1 files changed, 0 insertions, 4 deletions
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 48a7cefe..b1b20ba1 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -171,7 +171,6 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx, break; case offsetof(struct ip6_hdr, ip6_nxt): get_cmp_data(e, &proto, sizeof(proto), &inv); - cs->fw6.ipv6.flags |= IP6T_F_PROTO; cs->fw6.ipv6.proto = proto; if (inv) cs->fw6.ipv6.invflags |= IP6T_INV_PROTO; @@ -325,9 +324,6 @@ static void nft_ipv6_proto_parse(struct iptables_command_state *cs, static void nft_ipv6_post_parse(int command, struct iptables_command_state *cs, struct xtables_args *args) { - if (args->proto != 0) - args->flags |= IP6T_F_PROTO; - cs->fw6.ipv6.flags = args->flags; /* We already set invflags in proto_parse, but we need to refresh it * to include new parsed options. |