From 05947c82232e3a3d20f93a1ba18e35e7f4e23671 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Sun, 11 Nov 2018 22:02:39 +0100
Subject: iptables-nft: fix -f fragment option

This needs to be passed in network byte order.

Reported-by: Arno van Amersfoort <arnova@rocky.eld.leidenuniv.nl>
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1292
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 iptables/nft-ipv4.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 6a8a7ced..ffb439b4 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -64,7 +64,7 @@ static int nft_ipv4_add(struct nftnl_rule *r, void *data)
 		add_payload(r, offsetof(struct iphdr, frag_off), 2,
 			    NFT_PAYLOAD_NETWORK_HEADER);
 		/* get the 13 bits that contain the fragment offset */
-		add_bitwise_u16(r, 0x1fff, 0);
+		add_bitwise_u16(r, htons(0x1fff), 0);
 
 		/* if offset is non-zero, this is a fragment */
 		op = NFT_CMP_NEQ;
-- 
cgit v1.2.3