From 52ed0ac516db9f3a44f61dfd8b65d20631bfa95b Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Wed, 6 Sep 2023 16:32:47 +0200 Subject: nft: Fix for useless meta expressions in rule A relict of legacy iptables' mandatory matching on interfaces and IP addresses is support for the '-i +' notation, basically a "match any input interface". Trying to make things better than its predecessor, iptables-nft boldly optimizes that nop away - not entirely though, the meta expression loading the interface name was left in place. While not a problem (apart from pointless overhead) in current HEAD, v1.8.7 would trip over this as a following cmp expression (for another match) was incorrectly linked to that stale meta expression, loading strange values into the respective interface name field. While being at it, merge and generalize the functions into a common one for use with ebtables' NFT_META_BRI_(I|O)IFNAME matches, too. Fixes: 0a8635183edd0 ("xtables-compat: ignore '+' interface name") Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1702 Signed-off-by: Phil Sutter --- iptables/nft-ipv6.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'iptables/nft-ipv6.c') diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index d53f87c1..5aef365b 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -54,12 +54,12 @@ static int nft_ipv6_add(struct nft_handle *h, struct nft_rule_ctx *ctx, if (cs->fw6.ipv6.iniface[0] != '\0') { op = nft_invflags2cmp(cs->fw6.ipv6.invflags, IPT_INV_VIA_IN); - add_iniface(h, r, cs->fw6.ipv6.iniface, op); + add_iface(h, r, cs->fw6.ipv6.iniface, NFT_META_IIFNAME, op); } if (cs->fw6.ipv6.outiface[0] != '\0') { op = nft_invflags2cmp(cs->fw6.ipv6.invflags, IPT_INV_VIA_OUT); - add_outiface(h, r, cs->fw6.ipv6.outiface, op); + add_iface(h, r, cs->fw6.ipv6.outiface, NFT_META_OIFNAME, op); } if (cs->fw6.ipv6.proto != 0) { -- cgit v1.2.3