path: root/iptables/nft-shared.h
diff options
authorPhil Sutter <>2018-08-20 15:30:03 +0200
committerFlorian Westphal <>2018-08-21 17:57:16 +0200
commit5ee03e6df41727652e0dc6ffaef8411b8840d812 (patch)
treee459442cfb4035a6bba51db4bd7c49ea344cb14f /iptables/nft-shared.h
parent37b68b2bc903112a74545c7f4a49c89e889582a9 (diff)
xtables: Use meta l4proto for -p match
Use of payload expression to match against IPv6 nexthdr field does not work if extension headers are present. A simple example for that is matching for fragmented icmpv6 traffic. Instead, generate a 'meta l4proto' expression which works even if extension headers are present. For consistency, apply the same change to iptables-nft as well. No adjustment to reverse path required as the needed bits were added by commit 6ea7579e6fe24 ("nft: decode meta l4proto") already. Signed-off-by: Phil Sutter <> Signed-off-by: Florian Westphal <>
Diffstat (limited to 'iptables/nft-shared.h')
1 files changed, 1 insertions, 0 deletions
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 80750784..59e1062a 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -122,6 +122,7 @@ void add_addr(struct nftnl_rule *r, int offset,
void *data, void *mask, size_t len, uint32_t op);
void add_proto(struct nftnl_rule *r, int offset, size_t len,
uint8_t proto, uint32_t op);
+void add_l4proto(struct nftnl_rule *r, uint8_t proto, uint32_t op);
void add_compat(struct nftnl_rule *r, uint32_t proto, bool inv);
bool is_same_interfaces(const char *a_iniface, const char *a_outiface,