diff options
author | Phil Sutter <phil@nwl.cc> | 2024-02-02 13:14:29 +0100 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2024-02-02 18:26:14 +0100 |
commit | 4195a89ab2e2bd690ba255e40a5c3d309f031796 (patch) | |
tree | 29afaaeb5482f454c10044510d4ea2591508000f /iptables/nft.c | |
parent | 9d400db20cf9f1c4a57c0791e563f22bafcd841a (diff) |
nft: Do not omit full ranges if inverted
Otherwise this turns a never matching rule into an always matching one.
Fixes: c034cf31dd1a9 ("nft: prefer native expressions instead of udp match")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables/nft.c')
-rw-r--r-- | iptables/nft.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index c2cbc9d7..dae6698d 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1324,7 +1324,7 @@ static int add_nft_tcpudp(struct nft_handle *h,struct nftnl_rule *r, return 0; } - if (src[0] || src[1] < 0xffff) { + if (src[0] || src[1] < UINT16_MAX || invert_src) { expr = gen_payload(h, NFT_PAYLOAD_TRANSPORT_HEADER, 0, 2, ®); if (!expr) return -ENOMEM; @@ -1335,7 +1335,7 @@ static int add_nft_tcpudp(struct nft_handle *h,struct nftnl_rule *r, return ret; } - if (dst[0] || dst[1] < 0xffff) { + if (dst[0] || dst[1] < UINT16_MAX || invert_dst) { expr = gen_payload(h, NFT_PAYLOAD_TRANSPORT_HEADER, 2, 2, ®); if (!expr) return -ENOMEM; |