diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2023-06-09 12:30:30 +0200 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2023-06-16 13:37:16 +0200 |
commit | 69278f9602b43df80821c55c21c0666f5c6f7e2f (patch) | |
tree | 2f513de9156cc4dd01b74d53847678d90ab62354 /iptables | |
parent | 3513f2dd8b9c101dcecee6145a7eac62297ca1c8 (diff) |
nft: use payload matching for layer 4 protocol
This is an IPv4 header, which does not require the special handling
as in IPv6, use the payload matching instead of meta l4proto which
is slightly faster in this case.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables')
-rw-r--r-- | iptables/nft-ipv4.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index d67d8198..2a5d25d8 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -61,7 +61,8 @@ static int nft_ipv4_add(struct nft_handle *h, struct nftnl_rule *r, if (cs->fw.ip.proto != 0) { op = nft_invflags2cmp(cs->fw.ip.invflags, XT_INV_PROTO); - add_l4proto(h, r, cs->fw.ip.proto, op); + add_proto(h, r, offsetof(struct iphdr, protocol), + sizeof(uint8_t), cs->fw.ip.proto, op); } if (cs->fw.ip.flags & IPT_F_FRAG) { |