From 4ef77b6d1b52e1fe52a7fd48d38d9233f0961640 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sun, 24 Mar 2013 13:15:23 +0100
Subject: xtables: fix missing protocol and invflags

xtables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables: Target problem. Run `dmesg' for more information
x_tables: ip_tables: tcp match: only valid for protocol

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 iptables/nft-ipv4.c   | 2 ++
 iptables/nft-ipv6.c   | 2 ++
 iptables/nft-shared.h | 1 +
 iptables/nft.c        | 2 +-
 4 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index ac2b27b8..0a601243 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -60,6 +60,8 @@ static int nft_ipv4_add(struct nft_rule *r, struct iptables_command_state *cs)
 		add_cmp_u16(r, 0, op);
 	}
 
+	add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags);
+
 	return cs->fw.ip.flags;
 }
 
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index a2e80306..65a89490 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -42,6 +42,8 @@ static int nft_ipv6_add(struct nft_rule *r, struct iptables_command_state *cs)
 		add_proto(r, offsetof(struct ip6_hdr, ip6_nxt), 1,
 			  cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags);
 
+	add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags);
+
 	return cs->fw6.ipv6.flags;
 }
 
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index f55d6f68..b301d411 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -63,6 +63,7 @@ void add_addr(struct nft_rule *r, int offset,
 	      void *data, size_t len, int invflags);
 void add_proto(struct nft_rule *r, int offset, size_t len,
 	       uint32_t proto, int invflags);
+void add_compat(struct nft_rule *r, uint32_t proto, bool inv);
 
 bool is_same_interfaces(const char *a_iniface, const char *a_outiface,
 			unsigned const char *a_iniface_mask,
diff --git a/iptables/nft.c b/iptables/nft.c
index f39f4071..e55c18c1 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -664,7 +664,7 @@ static void add_counters(struct nft_rule *r, uint64_t packets, uint64_t bytes)
 	nft_rule_add_expr(r, expr);
 }
 
-static void add_compat(struct nft_rule *r, uint32_t proto, bool inv)
+void add_compat(struct nft_rule *r, uint32_t proto, bool inv)
 {
 	nft_rule_attr_set_u32(r, NFT_RULE_ATTR_COMPAT_PROTO, proto);
 	nft_rule_attr_set_u32(r, NFT_RULE_ATTR_COMPAT_FLAGS,
-- 
cgit v1.2.3