nft: Do not omit full ranges if inverted

Otherwise this turns a never matching rule into an always matching one. Fixes: c034cf31dd1a9 ("nft: prefer native expressions instead of udp match") Signed-off-by: Phil Sutter <phil@nwl.cc>
author: Phil Sutter <phil@nwl.cc> 2024-02-02 13:14:29 +0100
committer: Phil Sutter <phil@nwl.cc> 2024-02-02 18:26:14 +0100
commit: 4195a89ab2e2bd690ba255e40a5c3d309f031796 (patch)
tree: 29afaaeb5482f454c10044510d4ea2591508000f /iptables/nft.c
parent: 9d400db20cf9f1c4a57c0791e563f22bafcd841a (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/iptables/nft.c b/iptables/nft.c
index c2cbc9d7..dae6698d 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1324,7 +1324,7 @@ static int add_nft_tcpudp(struct nft_handle *h,struct nftnl_rule *r,
 		return 0;
 	}
 
-	if (src[0] || src[1] < 0xffff) {
+	if (src[0] || src[1] < UINT16_MAX || invert_src) {
 		expr = gen_payload(h, NFT_PAYLOAD_TRANSPORT_HEADER, 0, 2, &reg);
 		if (!expr)
 			return -ENOMEM;
@@ -1335,7 +1335,7 @@ static int add_nft_tcpudp(struct nft_handle *h,struct nftnl_rule *r,
 			return ret;
 	}
 
-	if (dst[0] || dst[1] < 0xffff) {
+	if (dst[0] || dst[1] < UINT16_MAX || invert_dst) {
 		expr = gen_payload(h, NFT_PAYLOAD_TRANSPORT_HEADER, 2, 2, &reg);
 		if (!expr)
 			return -ENOMEM;
author	Phil Sutter <phil@nwl.cc>	2024-02-02 13:14:29 +0100
committer	Phil Sutter <phil@nwl.cc>	2024-02-02 18:26:14 +0100
commit	4195a89ab2e2bd690ba255e40a5c3d309f031796 (patch)
tree	29afaaeb5482f454c10044510d4ea2591508000f /iptables/nft.c
parent	9d400db20cf9f1c4a57c0791e563f22bafcd841a (diff)