2 files changed, 14 insertions, 1 deletions

diff --git a/iptables/nft-ruleparse.c b/iptables/nft-ruleparse.c
index 757d3c29..26a605cf 100644
--- a/iptables/nft-ruleparse.c
+++ b/iptables/nft-ruleparse.c
@@ -243,6 +243,11 @@ static void nft_parse_bitwise(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
 
 	data = nftnl_expr_get(e, NFTNL_EXPR_BITWISE_XOR, &len);
 
+	if (!data) {
+		ctx->errmsg = "missing bitwise xor attribute";
+		return;
+	}
+
 	if (len > sizeof(dreg->bitwise.xor)) {
 		ctx->errmsg = "bitwise xor too large";
 		return;
@@ -252,6 +257,11 @@ static void nft_parse_bitwise(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
 
 	data = nftnl_expr_get(e, NFTNL_EXPR_BITWISE_MASK, &len);
 
+	if (!data) {
+		ctx->errmsg = "missing bitwise mask attribute";
+		return;
+	}
+
 	if (len > sizeof(dreg->bitwise.mask)) {
 		ctx->errmsg = "bitwise mask too large";
 		return;
diff --git a/iptables/nft.c b/iptables/nft.c
index 220bd56d..da008070 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -4008,7 +4008,6 @@ static const char *supported_exprs[] = {
 	"payload",
 	"meta",
 	"cmp",
-	"bitwise",
 	"counter",
 	"immediate",
 	"lookup",
@@ -4035,6 +4034,10 @@ static int nft_is_expr_compatible(struct nftnl_expr *expr, void *data)
 	    nftnl_expr_is_set(expr, NFTNL_EXPR_LOG_GROUP))
 		return 0;
 
+	if (!strcmp(name, "bitwise") &&
+	    nftnl_expr_get_u32(expr, NFTNL_EXPR_BITWISE_OP) == NFT_BITWISE_BOOL)
+		return 0;
+
 	return -1;
 }