diff options
Diffstat (limited to 'iptables')
-rw-r--r-- | iptables/nft-bridge.c | 2 | ||||
-rw-r--r-- | iptables/nft-ipv4.c | 2 | ||||
-rw-r--r-- | iptables/nft-ipv6.c | 2 | ||||
-rwxr-xr-x | iptables/tests/shell/testcases/nft-only/0002invflags_0 | 10 |
4 files changed, 13 insertions, 3 deletions
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index 386da869..7dcc0c1a 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -222,7 +222,7 @@ static int nft_bridge_add(struct nftnl_rule *r, void *data) add_cmp_u16(r, fw->ethproto, op); } - add_compat(r, fw->ethproto, fw->invflags); + add_compat(r, fw->ethproto, fw->invflags & EBT_IPROTO); for (iter = cs->match_list; iter; iter = iter->next) { if (iter->ismatch) { diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index eaf861d1..4f31a516 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -75,7 +75,7 @@ static int nft_ipv4_add(struct nftnl_rule *r, void *data) add_cmp_u16(r, 0, op); } - add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags); + add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags & XT_INV_PROTO); for (matchp = cs->matches; matchp; matchp = matchp->next) { /* Use nft built-in comments support instead of comment match */ diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index fa5b8c89..c651b16d 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -60,7 +60,7 @@ static int nft_ipv6_add(struct nftnl_rule *r, void *data) &cs->fw6.ipv6.dst, &cs->fw6.ipv6.dmsk, sizeof(struct in6_addr), op); } - add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags); + add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags & XT_INV_PROTO); for (matchp = cs->matches; matchp; matchp = matchp->next) { /* Use nft built-in comments support instead of comment match */ diff --git a/iptables/tests/shell/testcases/nft-only/0002invflags_0 b/iptables/tests/shell/testcases/nft-only/0002invflags_0 new file mode 100755 index 00000000..406b6081 --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0002invflags_0 @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + +$XT_MULTI iptables -A INPUT -p tcp --dport 53 ! -s 192.168.0.1 -j ACCEPT +$XT_MULTI ip6tables -A INPUT -p tcp --dport 53 ! -s feed:babe::1 -j ACCEPT +$XT_MULTI ebtables -A INPUT -p IPv4 --ip-src 10.0.0.1 ! -i lo -j ACCEPT + |