diff options
| author | Sriram Rajagopalan <bglsriram@gmail.com> | 2024-03-13 02:04:37 -0700 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2024-03-19 16:57:48 +0100 |
| commit | 681935f6cb5734e120b5efe5aa8512508e2793f4 (patch) | |
| tree | 918fc5fb0bf9b23bc4c1bdf81b11ca9cc1cef644 /iptables/nft.c | |
| parent | a62fe15abcc997c38c3b46c5273961d3e9579293 (diff) | |
nft: Do not combine inverted payload matches
Fixed the issue with combining the payload in case of invert filter for
tcp src and dst ports.
Signed-off-by: Sriram Rajagopalan <sriramr@arista.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables/nft.c')
| -rw-r--r-- | iptables/nft.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index ee63c3dc..884cc77e 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1307,14 +1307,12 @@ static int add_nft_tcpudp(struct nft_handle *h,struct nftnl_rule *r, uint8_t reg; int ret; - if (src[0] && src[0] == src[1] && + if (!invert_src && + src[0] && src[0] == src[1] && dst[0] && dst[0] == dst[1] && invert_src == invert_dst) { uint32_t combined = dst[0] | (src[0] << 16); - if (invert_src) - op = NFT_CMP_NEQ; - expr = gen_payload(h, NFT_PAYLOAD_TRANSPORT_HEADER, 0, 4, ®); if (!expr) return -ENOMEM; |